HIPAA Omnibus Rule of 2013POSA
August 29, 2013
Renee H. Martin, JD, RN, MSNTsoules, Sweeney, Martin & Orr, LLC
29 Dowlin Forge RoadExton, PA 19341
Tel.: (610) 423-4200Fax: (610) 423-4201
E-mail: [email protected]
History of HIPAA
1996 - HIPAA enacted
1999 – 2000 - Initial Privacy & Security Regulations Issued
2002 - Final Privacy Rules Issued
2005 - Final Security Rules Issued
2009 - HITECH ACT – Interim Final Rule-Breach Notification
2010 - Enforcement Rules published
2013 - HIPAA Final Omnibus Rule
2Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC 3
Who is covered under HIPAA??
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC4
Who Is Subject to HIPAA?
Covered Entities (direct)
Health plans: insurance companies; HMO Health care clearinghouses (process nonstandard data
elements into standard data elements)
Health care providers who transmit any health information in electronic form in connection with a covered transaction
Business Associates Receive PHI from covered entity Perform a function on its behalf
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC5
What is a Business Associate?
A person who, on behalf of a covered entity-- Performs or assists with a function or activity involving
Individually Identifiable Information
Performs certain identified services
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC 6
Business Associate
Covered Entity
Auditors, Lawyers, Actuaries
Billing Firms
Clearinghouses
Management Firms
Consultants, Vendors
Other Covered Entities
TPAs
Accreditation Organizations
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC7
Third Parties and Business Associates (Con’t.)
Covered entities may disclose PHI to a business associate
As necessary to permit the business associate to perform functions and activities on behalf of the covered entity
Business associate cannot use PHI for its own purposes
8
Individually Identifiable Health Information (IIHI)
Health information including demographics that: Is created or received by a health care provider, health plan, or
health care clearing house and Relates to the past, present or future physical or mental health
or condition; the provision of health care; or the past, present or future payment for the provision of health care to an individual that
• Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
9
Protected Health Information (PHI)
Individually identifiable health information that is: Transmitted by electronic media Maintained in any electronic media Transmitted or maintained in any other form
(including oral or written PHI)
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
PHI and the Medical Record
The HIPAA Privacy Rule defines a Designated record set as follows:
(1) A group of records maintained by or for a covered entity that is: The medical records and billing records about individuals
maintained by or for a covered health care provider; Used, in whole or in part, by or for the covered entity to make
decisions about individuals. (2) the term record means any item, collection, or grouping of
information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.”
10Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
11
Privacy Rule Summary
A covered entity may not use or disclose PHI except:
After it gives written Notice about its health information practices to the individual
In accordance with an individual’s written authorization
When requested by the Department of Health and Human Services Office of Civil Rights
12
General Rule: Required Disclosure
To individual upon individual’s request; some exceptions apply
To HHS in connection with its enforcement and compliance review actions
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
13
General Rule: Permitted Disclosures
Notice of Privacy Practices: Treatment, Payment, Health Care Operations
Authorization
Statutory/Regulatory Disclosures
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Scope of the Omnibus Rule
Revised breach notification standard Patient access to information contained in an
electronic health record Regulation of business associates (“BAs”) and
subcontractors Prohibition on “sale” of PHI without
authorization
14Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Scope of the Omnibus Rule
Patients’ right to restrict data sharing with payers
Requirements to modify and redistribute NPP Clarifies and strengthen OCRs role in
enforcement, imposition of civil monetary penalties (CMPs) and CMP liability for acts of Business Associates and subcontractors
15Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC 16
Duty to Notify in Case of Breach
HITECH Act: Required Notification of Breach of “Unsecured PHI”
What is a “breach”? “the unauthorized acquisition, access, use, or
disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security or privacy of the PHI”
If definition is met, notification is required
*Applies to both electronic and hard copy information*
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC 17
Duty to Notify in Case of Breach
What is NOT a “breach”? Determined by:
1. Definition of “breach”
2. Exceptions to definition of a breach
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Not a Breach by Definition
Unintentional acquisition, access or use of PHI by a workforce member
or person acting under the authority of a Covered Entity (CE) or Business Associate (BA)
if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted
1818
Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC 19
Not a Breach by Definition
Applies only to “Unsecured PHI”:
If CEs and BAs apply the technologies and methodologies specified in the April 17, 2009 Guidance for PHI, the PHI is “secure” and no notice required.
Per the Guidance,
“Secure PHI” is PHI that is rendered unusable, unreadable or indecipherable to unauthorized individuals (i.e., encrypted or destroyed as detailed in the exhaustive list of technologies and methodologies)
IFR Breach Notification Standard
Interim Final rule (IFR) – CEs/BAs must notify of breaches of unsecured PHI that cause a significant risk of harm to the data subjects Harm includes financial & “other” harm; standard
was controversial Data correctly encrypted per National Institute for
Standards and Technology is not “unsecured PHI”
20Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Omnibus Rule Breach Notification Standard
Definition of “breach” is now changed “Harm” analysis gone An impermissible use or disclosure of PHI is
presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised”
Determining whether or not there is a low probability data has been “compromised” requires analysis of what happened (or may have happened) to the data
Focus now switched to what happened to PHI?
21Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Breach Notification – Risk Assessment
CE/BA should perform risk assessment post-breach discovery and must consider at least the following: Nature and extent of PHI involved, including types
of identifiers and likelihood of re-identification Who was the recipient of the PHI Was the PHI actually acquired or viewed The extent to which the risk to misuse of the PHI
has been mitigated
22Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Breach Notification – Burden of Proof
If no risk assessment performed, the default is notification
Burden of demonstrating low probability that PHI is compromised is on the CE/BA
Decision not to notify must be documented in case of review
23Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Breach Notification – Obligations to Notify
CEs must notify individuals (although can delegate this to BAs)
BAs must notify CEs
Subcontractors must be obligated to notify their contracting partner so the information can go back up the chain
24Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Breach Notification – Examples of Risk Analysis Criteria
Likelihood of identification or re-identification: A list of patient names on practice letterhead – high probability Patient data on your letterhead, patients not specified – can
patients be re-identified? – could be low probability (depends on the circumstances)
Who is the unauthorized recipient: A HIPAA covered entity – low probability, as long as you have
evidence the risk has been mitigated An employer – may be able to use personnel records to re-identify
– not low probability PHI actually acquired or viewed:
Untampered with laptop – low probability Information mailed to wrong person – not low probability
Has improper use been mitigated Satisfactory assurances of destruction from a known person – low
probability
25Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Right to Request Restrictions to Payors
The general rule is that a CE is not required to accept restrictions on the use and disclosure of PHI.
Final Rule created an exception, and requires a CE to agree to a restriction if: the disclosure is for the purpose of carrying out payment
or health care operations and is not otherwise required by law; and
the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the CE in full.
26Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
OCR Guidance on Disclosure Restrictions
CEs are not required to create separate medical records or otherwise segregate PHI subject to a restriction.
CEs will need to flag restricted PHI or make a notation in the record that the PHI has been restricted.
CEs are not required to abide by a restriction if an individual’s payment fails/denied/bounces, but they must make a reasonable effort to contact the individual and obtain payment prior to billing a health plan.
Providers within HMO who can’t by law accept payment from individual may counsel to use out-of-network provider
If restriction sought for item of bundled services, counsel patient about ability to and effect of unbundling, and permit patient to pay for entire bundle
CEs need not inform downstream providers of restrictions, but should counsel patients to seek restrictions and pay out of pocket there, too
27Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Individual Right to Access PHI
HIPAA currently requires, with limited exceptions, that individuals have a right to review or obtain copies of their PHI to the extent such information is maintained in a designated record set.
The Final Rule made significant changes to the individual’s right to access their PHI.
28Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Patient Access to Electronic Health Information
If PHI held electronically, individual entitled to an electronic copy if in a “designated record set” (not just the information in an “EHR”)
Must be in the format requested if “readily producible”; if not, in a readable electronic form and format agreed upon by the entity and the individual Not required to buy new software to do this – but must have
capability to provide some electronic copy If individual declines to accept electronic formats entity makes
available, can default to hard copy Not required to accept patient’s device – but can’t require
individuals to purchase a device from you if they don’t want to
29Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Patient Access – Reasonable Safeguards
Must have reasonable safeguards in place to protect transmission of ePHI – but… If an individual wants information by unencrypted e-mail,
entity can send if they advise the individual that such transmission is risky
Can’t force individuals to accept unsecure Not then responsible for breach – document individual
acknowledgement of risk
Omnibus allows 30 days to produce with one, 30 day extension for a total of 60 days-OCR urges entities to make information available sooner when possible
If over 30 days must notify patient in writing and inform why extension is needed
30Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Patient Access – Third Parties, Charges
Individuals can have the copy directed to another person/entity – but the choice must be in writing and clearly identify the individual/entity Information must be protected and entity must
implement reasonable policies and procedures to send it to the right place (e.g., type e-mail correctly)
“In writing” can be electronic Fees charged are restricted to labor costs of
copying– cannot include cost of retrieval, or portion of capital costs
Charge can include supplies provided to individual upon request
31Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Business Associates/Subcontractors
Omnibus rule conforms HIPAA regulations to HITECH Act changes Before HITECH, BAs regulated through business
associate contracts or agreements (“BAAs”) After HITECH, BAs and subcontractors are
regulated directly under HIPAA Must comply with Security Rule (rule is flexible to
accommodate small BAs) Must comply with some of Privacy Rule and provisions of
BAA Still need BAA Agreement
32Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Notice of Privacy Practices (NPP)
NPPs must include:
Statements regarding certain uses and disclosures requiring authorization – e.g., psychotherapy notes (where appropriate), marketing, sales of PHI, right to restrict disclosures to health plans (provider only), and right to be notified of breach; and
General statement that all uses and disclosures not described in NPP also require authorization
New patients get revised by 9/23/13, other patients as they come in to be seen
33Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
What the OCR says about Enforcement
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
Director OCR
Leon Rodriguez
34Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Enforcement Rule – BAs, Investigations, Reviews
Civil monetary penalties (CMPs) can be assessed directly to business associates
Complaint investigations and compliance reviews Required whenever there is evidence of a possible
HIPAA violation due to willful neglect Discretionary in the absence of possible willful neglect Every complaint will be investigated preliminarily Secretary has discretion to move directly to
imposition of CMPs without informal resolution
35Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Enforcement - Coordination
Secretary may disclose PHI to another agency on request
Coordination of Department of Justice and FTC (http://www.hhs.gov.ocr/enforcement)
Coordination with State Attorneys General to assist with their direct enforcement
36Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Enforcement
Violation –State of Mind
Penalty Range Per Violation
Maximum amount for all such violations of an identical provision in a
calendar year
Did Not Know $100 -- $50,000 $1,500,000
Reasonable Cause $1,000 -- $50,000 $1,500,000
Willful Neglect—
Corrected
$10,000 -- $50,000 $1,500,000
Willful Neglect—
Not Corrected
$50,000 $1,500,000
37Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Enforcement - CMPs
New definition of “Reasonable Cause” to address state of mind: knew it was a violation but without willful neglect
Definition of “willful neglect” retained: “conscious, intentional failure or reckless indifference”
38Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Enforcement – CMPs – Liability for Agents
Note: Workforce members liable for breach under HITECH
CEs and BAs and subcontractors are liable for HIPAA violations of their agents
Fact specific determination: did the principal control or have the right to control or direct the agent’s conduct in performing a contracted service?
The manner and method the principal actually controls the service provided is determinative
39Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Enforcement Rule – Considerations for CMPs
OCR will consider the following: Nature and extent of violation Nature and extent of any physical, financial or
reputational harm The covered entity’s or business associate’s history
of prior noncompliance with statute The financial condition of covered entity or business
associate Other factors as required for justice
Extent of reputational or other harm Time period during which violations occurred Number of individuals affected
40Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC
Next Steps
Review policies, procedures, forms, and update
Train staff on new provisions
Inventory BAs and update BAAs
Update breach response plan; in particular, update risk assessment and address encryption
Don’t delay
41Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC