OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Transcription

1 Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR

2 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act of It in part strives to make sure your medical information and records are kept private and secure and under your control, no matter who ends up with them. I have WHAT??? 2

3 HIPAA Roles & Relationships The HIPAA regulations apply to health care providers, health plans (i.e., public or private health insurance plans), and health care clearinghouses (i.e., organizations that support specific types of electronic transactions). These three types of organizations are known as covered entities, under the regulations. The regulations also apply to service providers that create, receive, transmit, or maintain protected health information (PHI) on behalf of covered entities. Such service providers are called business associates. You will gain a new cadre of business associates you never knew existed! 3

4 HIPPA, HITECH & YOU! So now I know what HIPAA is, what s HITECH (NOT high tech!) The Health Information Technology for Economic and Clinical Health ( HITECH ) Act, enacted in 2009, raised the bar for protecting PHI. 4

5 HIPAA regulations have been recently updated and must now meet a number of new requirements put in place by the HITECH Act. Those changes were published in January 2013 and are effective as of September 23, Most notable for OCRA members is that under the new regulations sometimes referred to as the HIPAA Omnibus Rule business associates are now subject to direct regulatory enforcement. 5

6 Further, business associates must now treat their subcontractors who create, receive, transmit, or maintain PHI in the same manner that covered entities treat their business associates. This is where YOU COME IN! 6

7 WHY ME?? Why the %#8&! Do I Need to be Involved in this? Simple Answer: Because the U.S. Department of Health & Human Services says so. (dang)! Here s what it has said: In providing legal services to a covered entity, must a lawyer who is a business associate require that those persons to whom it discloses protected health information agree to abide by the privacy restrictions and conditions that apply to the lawyer? 7

8 Not so simple Answer: It depends on who the recipient is. The business associate agreement (BAA) between the covered entity and the lawyer business associate must provide that the lawyer will ensure that any agents, including subcontractors (like court reporters), to whom it provides protected health information agree to the same restrictions and conditions that apply to the business associate with respect to the information. See 45 CFR (e)(2)(ii)(D). 8

9 NOW I get it This, too, will absorb into my brain! Thus, if a lawyer/business associate enlists the services of a person or entity in furtherance of the lawyer s legal services to a covered entity, and the lawyer must provide protected health information to the person or entity for such purpose, the lawyer s business associate contract with the covered entity requires that the lawyer ensure that these persons agree to the same restrictions and conditions with respect to the protected health information they receive that apply to the lawyer as a business associate (now you and your down - stream service providers (scopists, etc.) 9

10 Tell Me More, if you MUST! Pursuant to its business associate contract, a lawyer must ensure that other legal counsel, document or file managers, investigators, litigation support personnel, or others hired by the lawyer to assist the lawyer in providing legal services to the covered entity (meaning you), will also safeguard the privacy of the protected health information the lawyer receives to perform its duties. Conversely, a lawyer- business associate needn t ensure that opposing counsel, fact witnesses, or other persons who do not perform functions or services that assist the lawyer in performing its services to the client, agree to the business associate restrictions and conditions, even though the lawyer may have to disclose protected health information to these third parties. See link. And, also, because 45 CFR (e)(2)(ii)(D) says this, governing the behavior of business associates when it comes to providing protected health information to others: (D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information. 10

11 I m not a lawyer! What s all this mean? As someone who is hired by a lawyer the HIPAA obligations imposed on the lawyerbusiness associate float downstream to you. So, if you receive protected health information either via the text of a deposition or medical record exhibits, you have the same obligations to abide by HIPAA as the lawyer and a lawyer can ask that you offer satisfactory assurance in the form of signing a contract saying you will treat such information according to HIPAA. And here (from 45 CFR (e)) are the core requirements of such contracts, keeping in mind that the full, sample contract provided by the Department of Health & Human Services is in Appendix A, below. ding/coveredentities/contractprov.html#top 11

12 What Elements are Required in a BAA (Business Associate Agreement)? The recent changes to the HIPAA regulations have caused most covered entities to review their compliance programs. Moreover, business associates such as lawyers and other service providers are now required to execute a BAA with their subcontractors. These factors make it much more likely that you are now being presented with BAAs, perhaps even for the first time. 12

13 Under the HIPAA regulations, BAAs must include ten specific provisions, even if those terms do not apply to the particular services you may be providing to a covered entity (as a business associate) or to a business associate (as a subcontractor). Thus, you should expect a BAA to: 13

14 10 Provisions of BAAs 1. Establish the ways that the business associate (or subcontractor) is permitted to use and disclose PHI. 2. Provide that the business associate (or subcontractor) may not use or disclose PHI in any other manner. 3. Require that the business associate (or subcontractor) implement safeguards, consistent with the Security Rule. 14

15 4. Require the business associate (or subcontractor) to report any unauthorized use or disclosure of PHI, including breaches. 5. Ensure that the business associate (or subcontractor) supports patient rights, including accounting of disclosures (with proper data collection) and PHI access and amendment, under the Privacy Rule. 6. Obligate the business associate (or subcontractor) to comply with the applicable requirements, if it is carrying out any of the covered entity s duties or obligations under the Privacy Rule. 15

16 7. Require that the business associate (or subcontractor) make its internal practices, books, and records regarding its PHI-related activities and compliance with the HIPAA regulations available to HHS, in the event of a request or investigation. 8. Call for the business associate (or subcontractor) to either destroy or return any PHI at the BAA s termination, or if destruction is not feasible, to continue to safeguard the PHI. 16

17 9. Require that the business associate (or subcontractor) ensure any of its subcontractors agree to the same restrictions and conditions regarding PHI (i.e., execute a BAA that flows down substantially similar provisions). 10. Authorize termination of the BAA, if the business associate (or subcontractor) violates a material term. 17

18 How Can I Boil this DOWN? THERE ARE 3 THINGS TO THINK ABOUT: 1. Your internal office processes. 2. Your relationships with lawyers. 3. Your relationships with your own subcontractors (videographers, scopists, proof readers). Let s take these one at a time 18

19 Your Internal Office Processes Treat protected health information the same way you would want your information treated. HIPAA safeguards require that you: Train your staff. Provide training to employees, contractors and subcontractors on how to prevent the improper use or disclosure of protected health information. The gist of such training is that such information should looked for, be afforded unique attention, and handled with special care. Get this issue on your employees and reporters radar screens. 19

20 Internal Administrative Safeguards Adopt written policies and procedures regarding the safe-guarding of protected health information. These should include what happens when there is a breach and that protected health information should be handled in the fashion permitted by the Oregon Code of Civil Procedure unless otherwise specified. Original exhibits containing protected health information should be returned to the client along with the original, scans or copies of them available only to those legally entitled to them. 20

21 Technical Physical Safeguards Adopt appropriate technical safeguards to ensure protected health information, is handled appropriately including access controls to electronic and physical files, authentication of who can access them, and transmission security. Adopt appropriate physical safeguards to protect protected health information, including workstation security. HINT: HIPAA is very onerous. BUT, you are probably already doing many of the things HIPPA requires. You are likely not leaving transcripts lying around where strangers can stroll in and snag them. You are likely treating transcripts and exhibits with security and care. Your staff and reporters already likely know or have been told not to save transcripts or exhibits on unsecured laptops that travel to coffee shops and the like, only to be left behind. Your likely password protect and limit access to your databases. If so, this may mostly be a matter of simply documenting and putting into HIPAA words what you are already doing and why. 21

22 Your Relationships with Lawyers Lawyers have a duty to ask you to abide by HIPAA. Plus, you have an obligation to follow the law. That said, you are not a lawyer and cannot be expected to know the ends and outs of what constitutes protected health information, especially in close cases. More importantly, neither can your reporters. 22

23 If your policies, procedures, and technology are sufficient overall to satisfy HIPAA, then it doesn t really matter whether or not your clients pre identify a deposition or exhibits as implicating HIPAA. If that isn t the case, then you may need to consider asking your clients up front or your reporters after a deposition whether there was medical testimony or records produced so that special, HIPAA compliant procedures can be used to protect them. 23

24 As lawyers begin increasingly to ask that you sign HIPAA contracts, scrutinize the terms of the contract benchmarked against the model contract in the appendix below from the U.S. Department of Health & Human Services. Ask OCRA to talk to OSBA. Maybe a standard BAA can be created? 24

25 Your Relationship to your Own Subcontractors As you are to your lawyer clients, so your subcontractors are to you. Meaning, just as lawyers have to make sure their subcontractors have satisfactory assurance that they are complying with HIPAA, you should consider obtaining the same protection in the form of a contract to make sure your proofreaders or scopists are abiding by HIPAA, just as you are. Am I going to have to hand out those Privacy Policy thingies like I get and don t read at my doctor s office? No. 25

26 Who Should I Execute a BAA with? Keep in mind that as a business associate (or subcontractor), you must (1) comply with the HIPAA regulations; and (2) execute a BAA with any subcontractors who assist you in providing services that involve creating, receiving, transmitting, or maintaining PHI. For instance, you should have a BAA in place with independent contractors you hire to provide applicable services to clients with whom you have a BAA. You should also execute a BAA with vendors, such as information technology service providers, if they have access to the PHI that you create, receive, transmit, or maintain. 26

27 If you use cloud services to create, receive, transmit, or maintain PHI, then you will need to execute a BAA with them. You are also responsible for maintaining reasonable oversight for your: Independent contractors scopists Proof readers Videographers Print or copy companies Cover your backside! 27

28 OVERVIEW Key Compliance Steps Complying with the HIPAA regulations may seem daunting, but there are resources available to help you and some simple steps you can take now to get started: Review BAAs. Collect and maintain any BAAs that you have executed and periodically review them to ensure that you understand the requirements and maintain compliance. Perform a risk analysis. This includes documenting when and how you handle PHI, where it is stored, and how you protect it. Compare your safeguards to those required by the Security Rule and resolve any gaps that you identify. 28

29 Train your workforce. Ensure that you and your employees understand your HIPAA obligations, and hold your subcontractors to the same standards. Implement safeguards. Recognize that the HIPAA regulations allow you to select an approach that is appropriate for the size and complexity of your business. For example, investigating the use of secure , encryption for your mobile devices, proper access controls to limit who can access PHI, and cloud computing services that comply with HIPAA requirements are great places to start. Manage your subcontractors. Keep track of subcontractors who handle PHI and ensure that you have executed appropriate BAAs. 29

30 Develop a breach response plan. Consider and document how you would handle a data breach that involves PHI before it happens. Who will you notify? How long do you have to respond? How will you mitigate risks? What other actions will you take to investigate and resolve the event? Document your HIPAA compliance program. Think like an auditor what would you like to see to demonstrate your compliance program fitness? Put together a simple compliance notebook (online or on paper) that describes the steps you have taken and tracks your ongoing activities. Seek advice specific to your business situation and needs. Utilize available resources and seek specific legal advice when you have detailed questions or concerns. 30

31 What if there s a BREACH? In addition to these required provisions, covered entities will often impose additional requirements on their business associates, in an effort to lower their own risk. For example, a covered entity may call for notification of any unauthorized use of PHI or a data breach within a specific, brief period of time, such as five or fewer business days. Covered entities also commonly seek indemnification from their business associates for any costs associated with breaches or other unauthorized uses of PHI. 31

32 What if there s a BREACH ~ pg 2 ~ For instance, a covered entity may ask you to agree that you will take responsibility for any fines, litigation costs, or other expenses (e.g., notifying affected individuals), if you or your workforce causes a data breach. Business associates often look to flow similar provisions down to their subcontractors. Before agreeing to any BAA provisions that call for narrow timeframes or other limits, or that go beyond the ten required elements described above, you should carefully review and consider the obligations, potential risks, and your available resources. In such circumstances, you should also consider seeking specific legal advice. 32

33 The Enforcement Rule The Enforcement Rule (See 45 CFR 160.3xx-.5xx) specifies the processes and procedures to address potential violations of the HIPAA regulations. Civil money penalties, under the HITECH Act, may range from $100 to $50,000 per violation or a total of $1.5M for identical violations during a calendar year, based on the level of culpability. 33

34 General Overview Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-phi, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures. Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-phi only when such access is appropriate based on the user or recipient's role (role-based access). 34

35 Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-phi. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures. Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule Physical Safeguards. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed. 35

36 Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-phi). Technical Safeguards Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-phi). Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi. Integrity Controls. A covered entity must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-phi has not been improperly altered or destroyed. Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network. Cyber Security Insurance. You can purchase insurance in case of a breach. 36

37 RESOURCES ding/srsummary.html 2e411a1.htm Where Can I find More Information? 0-1cf be7ccb0f4a769843/presentation/publicationattach ment/81794b42-2bcc-4d74-94e5- be bd/13-066%20hipaa-hitechomnibus-finalrule.pdf htm Portland-OR/2477/35 37

38 Appendix A Sample Business Associate Agreement Provisions Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions. Definitions Catch-all definition: The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Specific definitions: (a) Business Associate. Business Associate shall generally have the same meaning as the term business associate at 45 CFR , and in reference to the party to this agreement, shall mean [Insert Name of Business Associate]. (b) Covered Entity. Covered Entity shall generally have the same meaning as the term covered entity at 45 CFR , and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity]. (c) HIPAA Rules. HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. Obligations and Activities of Business Associate Business Associate agrees to: (a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law; (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement; (c) Report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR , and any security incident of which it becomes aware; [The parties may wish to add additional specificity regarding the breach notification obligations of the business associate, such as a stricter timeframe for the business associate to report a potential breach to the covered entity and/or whether the business associate will handle breach notifications to individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on behalf of the covered entity.] (d) In accordance with 45 CFR (e)(1)(ii) and (b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information; (e) Make available protected health information in a designated record set to the [Choose either covered entity or individual or the individual s designee ] as necessary to satisfy covered entity s obligations under 45 CFR ; [The parties may wish to add additional specificity regarding how the business associate will respond to a request for access that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to provide the requested access or whether the business associate will forward the individual s request to the covered entity to fulfill) and the timeframe for the business associate to provide the information to the covered entity.] (f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR , or take other measures as necessary to satisfy covered entity s obligations under 45 CFR ; [The parties may wish to add additional specificity regarding how the business associate will respond to a request for amendment that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to act on the request for amendment or whether the business associate will forward the individual s request to the covered entity) and the timeframe for the business associate to incorporate any amendments to the information in the designated record set.] (g) Maintain and make available the information required to provide an accounting of disclosures to the [Choose either covered entity or individual ] as necessary to satisfy covered entity s obligations under 45 CFR ; [The parties may wish to add additional specificity regarding how the business associate will respond to a request for an accounting of disclosures that the business associate receives directly from the individual (such as whether and in what time and manner the business associate is to provide the accounting of disclosures to the individual or whether the business associate will forward the request to the covered entity) and the timeframe for the business associate to provide information to the covered entity.] (h) To the extent the business associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and (i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. 38