1

Kristen HeffernanMicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact

2

HIPAA Omnibus Rule

• History of the Rule• HIPAA Stats• Rule Overview• Use of Personal Health Information (PHI)• Patient Access to Electronic Health Records• Business Associates (BAs)• Security Rules• PHI Breaches + Notification• Audits, Consequences + Penalties• Avoiding HIPAA Consequences• Surviving a HIPAA Audit• MicroMD HIPAA Compliance + Support• HIPAA Resources

Agenda

3

History of the Omnibus Rule

Health Insurance Portability and Accountability Act

(HIPAA) of 1996

Omnibus Rule 2013

Health Information Technology for Economic and Clinical Health

(HITECH) Act of 2009

Before HITECH, Business Associates (BAs) regulated

through Business Associates Agreements (BAAs)

Therefore, must comply with Security Rules and some Privacy

Rules and provisions of BAA

After HITECH, BAs and subcontractors regulated directly

by HIPAA

4

HIPAA Stats: 2009 to 2012*

• 538 PHI breaches (21M+ health records)• 67% of breaches are a result of theft or loss• 57% of patient record breaches involved a BA• 38% a result of unencrypted laptop or other portable electronic device

*Breaches impacting greater than 500 individuals as reported to HHS Aug 2009 to Jan 2013

5

Rule Overview

• Changes to Personal Health Information (PHI)

• Patient access to electronic PHI (Tie to MU reqs)

• New requirements for Business Associates and their Subcontractors

• Defines new Security Requirements (Not enough to just do the audit; now need to take steps – Tie to MU reqs)

• Updated definition of PHI Breach, how to asses breach level and notification

• Outlines penalties

6

Use of Personal Health Information (PHI)

• Limitations on use of PHI for marketing + fundraising purposes

• Prohibits sales of PHI without individual authorization to do so

• Broadens patient ability to restrict disclosure of PHI to health insurance, for instance when a patient pays cash

7

Patient Access to Electronic Health Record

• Expands patient rights to request + receive electronic copies of their health record

• Ties into Meaningful Use (MU)• Stage 1 Core Objective 12: More than 50 percent of

all unique patients seen by the EP during the EHR reporting period are provided timely (within 4 business days after the information is available to the EP) online access to their health information subject to the EP's discretion to withhold certain information.

• Stage 2 Core Objective 7: Provide patients the ability to view online, download and transmit their health information within 4 business days of the information being available to the EP.

8

Business Associates (BAs): Why the changes?

• Before HITECH, management of PHI was loosely defined; law required to “use appropriate safeguards”

• No established standards• No way to validate standards were being followed• Laptops don’t always have encrypted discs• Users often disable or don’t update virus protection• Covered Entities (CEs) with limited IT resources• Increasing EMR adoption

99

Business Associates (BAs): Definition

• IT equipment, support + software vendors

• Leasing firms• Data centers• Cloud computing providers• Telephony + answering

service vendors

• Shredding vendors• Billing services• Transcription services• Collection services• Temporary employment

agencies

“Person’s who, on behalf of a Covered Entity (other than the Covered Entity’s workforce) perform or assist in performing a

function or activity that involves the use of disclosure of individually identifiable health information, or that otherwise is

regulated by HIPAA.”

10

Business Associates (BAs): Omnibus Impact

• Extends requirements for privacy and security rules to physician BAs and their subcontractors

• HHS Secretary authorized to receive complaints and take action against BAs and subcontractors

• BAs and subcontractors required to maintain own records and provide HHS access to info

• BAs and subcontractors subject to civil money penalties for violations

• BAs and subcontractors liable under contract to Covered Entity (CE) and BA

11

Business Associates (BAs): Must Document

• Risk Analysis• Continuity Plan• Security Practices and Procedures• Incident Response Plan (Breaches)• Records Disposal Procedure for Electronic Media and

Paper Records• Employee Training Program• Termination Procedures• Audit Logs

12

Business Associates (BAs): Must

• Protect data + uphold privacy and security measures• Restrict access to PHI via password• Secure servers; limit access• Receive and forward data automatically• 128-bit encryption for reports• Restrict PHI to “need to know”• Automatic password expiration• Store archives and backup in fireproof safe• Mandatory HIPAA training• Monitored security system• Automated, securely-stored data backups• Automated virus checks

• Properly dispose of data• Delete data from BA systems at end of BA• Not retain paper copies

13

Business Associates Agreement (BAA): Elements

• Specifies• Purpose for use of PHI• Functions, activities or services doing for CE

• BAs agree to• Not to use PHI outside of requirements• Use appropriate safeguards• Mitigate disclosure that violates BAA• Report disclosures to CE• Document disclosures

14

Business Associates Agreement (BAA): Elements

• Designates• BA may use PHI for data aggregation• BA may use PHI to report violations of law• Notification of BA changes in PHI disclosure procedures• Notification of BA of PHI use or disclosure• Term and termination provision• Provision that BAA applies to subcontractor• BA returns or destroys PHI; retain no copies (Or, if return not

feasible, specify conditions)

15

Business Associates (BAs): Violations

• HITECH deems a BA to violate HIPAA if BA• Knows of a pattern of activity of practice• Breaches their Business Associates Agreement (BAA)• BA fails to cure the breach, terminate the BAA or report the

non-compliance

16

Security Rules

• BAs + Subcontractors should already have in place security practices that either comply with the HIPAA Security Rule, or that only require modest improvements to come into compliance

• CEs and BAs must review and modify security measures to ensure the continued provision of "reasonable and appropriate" protection of PHI

• Specifies that the BA secure assurances of adherence from Subcontractors, not the CE

• Subcontractor of a BA must report security incidents, including breaches, to its BA

17

PHI Breaches + Notification

• Defines that improper use or disclosure of PHI should be considered a breach that would trigger official notification requirements unless the organization in question carries out a risk assessment and determines otherwise

• Applies to “unsecured PHI” not rendered unusable, unreadable or indecipherable

18

PHI Breaches + Notification

• Changes definition for required notification of breaches• 2009: Requirement was to notify of a breach if there was “significant

risk of harm” to the individual• 2013: Any acquisition, access, use or disclosure of PHI that is not

permitted under HIPAA is deemed a breach, unless the covered entity or Business Associate can demonstrate, using a 4-factor assessment, that there is a low probability that PHI has been compromised

• Used to be the “risk of harm” was the threshold” when determining a breach occurred

• Now the Office for Civil Rights (OCR) uses “presumption of a breach” as the threshold, making it more likely to be required to notify of a PHI breach

19

Common Breaches

• Impermissible use and disclosure of PHI• Lack of safeguards of PHI• Lack of patient access to PHI• Complaints about the CE to HHS

20

Breach Notification: Assessment

• 4 factors must be assessed1. Nature and extent of the PHI involved, including types of

identifiers and the likelihood of re-identification2. The unauthorized person who used the PHI or to whom the

disclosure was made3. Whether the PHI was actually acquired or viewed4. Extend to which the risk to the PHI has been mitigated

• If assessment of factors fails to show a low probability that the PHI has been compromised, breach notification is required

21

Breach Notification: Examples

• Example 1: A laptop computer was stolen and recovered, and analysis shows the PHI on the computer was never accessed, viewed, transferred, acquired or compromised in any way

• Example 2: Credit card numbers and social security numbers were included on the laptop, and analysis shows the data was transferred

22

Breach Notification: Obligations

• Notify impacted individuals written in plain language by written notice by first class mail (or e-mail if agreed by individual) to include:

• Description of how breach occurred• Date of breach + breach discovery• Description of compromised PHI (Data fields)• Steps individuals can take to protect themselves from resulting harm• Steps CE is taking to resolve and protect against further breaches• Contact info of the Privacy Officer

• Also notify by phone or other means for urgent situations

• Minors: Notify parent or designated guardian• Diseased: Notify next of kin• Disclosure of SSN: Check with state

23

Breach Notification: Obligations

• Notify Secretary of HHS• Breaches involving more than 500 individuals

- Submit notification online: http://ocrnotifications.hhs.gov/- No later than 60 days after discovery

• Breaches involving less than 500 idividuals- Should be documented and submitted annually to HHS- Documentation of breaches should be maintained for 6 years from the

last breach

• Notify media• If involves more than 500 residents of state or jurisdiction• Must be prominent media outlet• No later than 60 days after discovery

24

Audits, Consequences + Penalties

Violation Civil Money Penaltiesper Violation

All Violations in a Calendar Year

Did Not Know $100 to $50K $1.5MReasonable Cause $1K to $50K $1.5MWillful Neglect: Corrected $10K to $50K $1.5MWillful Neglect: Not Corrected $50K $1.5M

25

Avoiding HIPAA Consequences

• Read the full rule• Modify and redistribute your individual Notice of Privacy Practices• Amend BAAs to add security and privacy provisions and reissue

for signature• Do a test run before ever encountering a breach• Complete a Security Risk Assessment• Identify gaps + fix• Document policies + procedures• Create an action plan for breaches• Conduct regular internal audits• Have your BAAs handy; alert your BAs• Establish audit reports, schedule + print• Train staff

26

Surviving a HIPAA Audit

• Audits have been rare; tend to occur with breach notification

• Initial document request period: 10 days• Audits process entails:

• Site visit: Interview stakeholders and exam of health information systems

• Site audit report: Physical safeguards, daily operations, adherence to policies and HIPAA compliance

• Remediation: Identify gaps and prioritize fixes; CEs should start immediate good faith effort”

• If you’ve prepared + documented it, you’ll show a “good faith effort”

27

MicroMD HIPAA Compliance + Support• BAAs

• Secure signed BAAs from each client• Provide you with a signed BAA from MicroMD• Secure signed BAAs from each MicroMD vendor + subcontractor• HIPAA Compliance Officer: Linda Spinelli: linda.spinelli@henryschein.com

• Maintain HIPAA-compliant• Policies• Procedures• Training

• Security• Encrypted HIPAA-compliant data security for MicroMD Cloud data center• Offer HIPAA-compliant eBackUp service for non-Cloud data back up

• Auditing• Audit logs to track and document HIPAA-related items• Client Support for questions regarding audit documentation

28

HIPAA Resources

• Federal Register HIPAA Final Rule, Jan 2013: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf(138 Pages)

• HIPAA Survival Guide: http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php

• AMA Summary: https://download.ama-assn.org/resources/doc/washington/x-pub/hipaa-omnibus-final-rule-summary.pdf

29

HIPAA Omnibus Rule Practice Impact