1 Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies
2 Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the specific circumstances of each case. Every effort has been made to assure this information is up-to-date as of the date of publication. It is not intended to be a full and exhaustive explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel.
3 Overview Due to the increased breadth and reach of HIPAA s Privacy and Security Rules related to the HiTECH Act, covered entities andtheir business associates need to assure strict compliance to avoid costly enforcement activity.
4 the HITECH Act
5 HITECH Act Part of the ARRA Intent is to accelerate the adoption of electronic health records by providers, and the development of a national network for the exchange of those records. Significant money available ($21 billion), most in the form of Medicare and Medicaid incentives to providers for meaningful use of EHRs, starting in Providers must still pay for the initial investment of hardware and software.
6 Impact on business associates Overall: Where HIPAA previously applied to business associates via contract (when a covered entity contracted with a business associate), now certain key aspects of HIPAA, including fines and penalties, will directly apply to business associates as well as to individual employees of companies that violate HIPAA. See, Title VIII of the American Recovery and Reinvestment Act of 2009, Public Law
7 ARRA Directly Applies HIPAA Security to Business Associates Under ARRA, the following sections of HIPAA s Security Rule apply to business associates: o Administrative safeguards o Physical safeguards o Technical safeguards opolicies and procedures and documentation requirements 7
8 Application of Privacy Provisions to Business Associates Business associate agreements bind business associates to use and disclose PHI per terms of those agreements, per HIPAA s requirements, just as though HIPAA directly applied to the business associates. Business associates have direct compliance responsibility also. See, Section
9 Application of Privacy Provisions to Business Associates Policing. In the event business associates are aware that covered entities are violating HIPAA, unless the business associate s efforts to get the covered entity to take corrective steps are successful - o the business associates must terminate the contract or arrangement or o if termination is not feasible, notify HHS of the situation. A business associate sfailure to take any of these steps constitutes a violation of HIPAA in and of itself, subjecting it to fines and penalties under HIPAA (as though it were a covered entity). See, Section and HIPAA at 45 CFR Section (e).
10 Application of Privacy Provisions to Business Associates Failure of a business associate to either abide by HIPAA sbusiness associate provisions or to self-police covered entities will subject it to civil and criminal penalties under HIPAA s Privacy Rule to the same extent as covered entities. See, Section 13404(c).
11 Restrictions on Disclosures If a patient requests restrictions on the disclosure of his or her PHI to a health plan (for payment or operations purposes) and the health care item or service to which the PHI applies has been paid out of pocket in full, the covered entity must now agree to that request for restriction. See, Section 13405(a) and HIPAA at
12 Minimum Necessary Safe harbor if entity limits the use, disclosure or request of PHI to the limited data set ( or if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively ) See, Section 13405(b) HHS must issue guidance on this by August 17, See, Section 13405(b)(1)(B) In a recent report HHS indicated guidance to be issued before year end.
13 Updating Business Associate Agreements Drafting Suggestions Focus more attention on permitted uses and disclosures of PHI. Document your expectations about what should happen when and if either covered entity or business associate become aware of the other s HIPAA violations. Vendors, service providers and other second tier business associates be certain to update their agreements. Breach notifications if you have not already updated based on 45 states laws, update now for HIPAA/HITECH.
14 Practical Advice In preparation for the HITECH Act changes to HIPAA s Privacy and Security Rules, now is a good time to pull out your business associate agreements, read them through and determine what conversations you might want to begin having if you are a covered entity with your business associates and if you are a business associate, with your covered entity clients. 14
15 Proposed Accounting for Disclosure Regulations Issued May 31, 2011; Comment Period Runs to August 1, 2011
16 Accounting for Routine Disclosures An entity that maintains an electronic health record on an individual is responsible for maintaining (and provided to the individual upon request) an accounting for all disclosures of the EHR or information from the EHR, including those for treatment, payment and operations. Note that under HIPAA there was no requirement to account for routine disclosures. See, HIPAA at 45 CFR Section and HITECH at Section 13405(c).
17 Recent HHS Enforcement Enforcement both at federal and state levels
18 Recent Enforcement July 7, 2011 HHS and UCLA Health System settle up for $865,000 when two celebrities complained that UCLAHS employees repeatedly snooped in their records February 22, 2011 Cignet Health receives $4.3MM in civil penalties and fines for denying 41 patients access to their records and for failing to cooperate with HHS investigators February 14, 2011 Mass General and HHS settle up for $1MM when an employee left records of 192 patients from an infectious disease outpatient center on a commuter train
19 Enforcement State A.G.s The HITECH Act permits state attorney generals to bring o civil actions in federal court o on behalf of state residents o to prevent further violations of health care privacy and security or to recover damages Note: HHS may still enforce. First A.G. to enforce: Connecticut in HealthNet matter See, Section 13410(e)
20 Boot Camps for AGs Under the HiTECH Act, now state Attorneys General may enforce HIPAA s provisions Over the summer HHS has been conducting boot camps for representatives from all AGs offices to train them on how to enforce HIPAA s provisions
21 Recent Court Action Preemption suit out of highest court in California more stringent state laws affording privacy may apply despite some of the preemption language in FCRA/HIPAA EEO decision that nurse bringing an EEO claim NOT EEO decision that nurse bringing an EEO claim NOT entitled to obtain and use PHI to try and prove her case; patient privacy under HIPAA trumps her rights
22 Liability for Individuals, Employees Under the HITECH Act, employees and other individuals who themselves are not covered by HIPAA may be found to have violated HIPAA if PHI is obtained or disclosed by the employee without the patient s authorization. See, Sections
23 Sales of PHI or EHR: Prohibited Without each patient sindividual written authorization, neither a covered entity nor a business associate may sell or exchange an EHR or any PHI except in limited circumstances or for remuneration that is provided by a covered entity to a business associate for activities involving the PHI that the business associate undertakes on behalf of and at the specific request of the covered entity pursuant to a business associate s agreement. Regs: by August 17, 2010 (?) Effective date: 6 months after regs See, Section 13405(d).
24 Tiered Increase in Civil Penalties; Application to Business Associates Tier I Violation: Did not know and could not have known with exercise of reasonable diligence At least A, not more than D Tier II Violation: Due to reasonable cause and not willful neglect At least B, not more than D Tier III Violation: Due to willful neglect At least C, not more than D Tiers of Penalties A. $100/violation, capped at $25,000/year B. $1,000/violation, capped at $100,000/year C. $10,000/violation, capped at $250,000/year D. $50,000/violation, capped at $1,500,000/year See, Section
25 Tiered Increase in Penalties; Application to Business Associates Penalties now may be applied directly to business associates. Effective date for increased penalties: to any HIPAA violations that occur after February 17, See, Section 13410(d)(4)
26 Civil Monetary Penalties May be used to fund further Office for Civil Rights enforcement activities; or May be used to compensate individuals harmed by HIPAA violations (subject to the terms and conditions of regulations to be promulgated by February 17, See, Section 13410(c).
27 Criminal Penalties Now apply to employees or other individuals who wrongfully disclosed PHI regardless of whether they actually work for (or are) a covered entity so long as o The PHI wrongfully disclosed was maintained by or on behalf of a covered entity; and o There was no authorization to disclose the PHI. See, Section
28 Federal Breach Notice Law in ARRA
29 Federal Law Requiring Breach Notices In all but 4 states now, there are data security breach notification laws. Now there is a new federal data security breach notification law that applies also in healthcare situations. See, Section States without breach notice law: Kentucky, Alabama, New Mexico and South Dakota.
30 HITECH Act Federal Breach Notice Requirements Effective to breaches occurring after September 23, 2009 Sets robust new federal standards for breach notification in healthcare Covers paper and electronic data which is unsecured and has been accessed, acquired or disclosed as a result of a breach Note: good faith exception Regs issued. See, Section 13402(h)(2). 30
31 HiTECH Summary Here are some key privacy changes to HIPAA brought by the HITECH Act that will most significantly affect credit and collections organizations: o Federal data breach notification requirements, including potentially a notice to media. o Further restrictions on use/disclosure of PHI. o Direct liability for HIPAA fines and penalties for business associates and employees and individuals who violate HIPAA even if they do not work for covered entities. o Improved enforcement and increased/tiered fines. 31
32 Thank you Thank you for attending the presentation. Feel free to write with any questions. 32
33 eresources American Hospital Association edflags.html Federal Trade Commission American Medical Association NIST/Data Security Resources HIPAA Collaborative of Wisconsin (HIPAACOW) 33
34 HITECH Notice Must be made without unreasonable delay. In NO case more than 60 days after discovery of a breach. Notice to individual in writing unless individual has expressed preference to be notified electronically. See, Section
35 HITECH Notice Contents At a minimum, notices given under the HITECH Act must include: Description of facts surrounding breach; Type of PHI involved; Steps people should take to protect themselves; What the Covered Entity is doing to investigate, mitigate and protect against future breaches; and Contact information. See, Section 13402(f). 35
36 HITECH Notices -Other Media. If breach involves PHI of 500 or more individuals in a state, entity must give notice of the breach to the media in that state. HHS Notices o Greater than 500 people: immediately o Less than 500 people: in an annual report 36
37 Bottom Line: Encrypt Note HITECH definition of unsecured PHI. See, Section 13402(h). Best strategy to avoid expense and damages associated with data security breach notifications: encrypt data when at all possible.
38 Federal vs. State Laws Remember if state laws apply and require more information you must comply with HITECH and state laws! HITECH, like HIPAA, sets a floor not a ceiling. See, Section 13421(a).
39 The Red Flags Rule Enforcement deadline: January 1, 2011.
40 Red Flags Rule -Basics Effective January 1, 2008 Mandatory compliance required/enforcement began January 1, 2011 Purpose: develop and implement an ID theft prevention and detection program
41 Healthcare Providers - Exempt On Tuesday, December 7, 2010 the House by voice vote joined the Senate in passage of S.3987, the Red Flag Program Clarification Act of On November 30, 2010, the Senate passed this legislation by unanimous consent. Signed into law by President Obama on December 18, Excludes from the definition of creditor, however, any creditor that advances funds on behalf of a person fro expenses incidental to a service the creditor provides to that person.
42 Important Note Note: Healthcare providers as Covered Entities under HIPAA Administrative Simplification, while exempt from FTC Red Flag identity theft detection and protection provisions under S 3987, are not exempt from HIPAA and HITECH Act privacy and security rule obligations to safeguard patient identity data elements that are protected health information (PHI) identifiers.
43 Scope of Red Flags Rule Creditor any person who regularly extends, renews, or continues credit and per FTC this includes healthcare providers who accept payment plans or insurance Red Flag pattern, practice, or specific account activity that indicates possibility of ID theft 43
44 Serious Concern: Medical ID Theft Intentionally the FTC is concerned about medical identity theft Medical ID Theft = situation in which someone uses a person s name, possibly their insurance card, without the person s knowledge or consent to obtain or make false claims for medical services or goods 44
45 Red Flags Requirements Written ID theft compliance program Approved by highest governing body of organization Properly trained out to workforce Failure to comply: penalty of up to $2,500 for knowing violations 45
46 Massachusetts Data Security 201 CMR 17.00, Standards for Protection of Personal Information of Residents of the Commonwealth Note: these Regulations create an excellent checklist for implementation
47 Massachusetts Law Most comprehensive set of state laws and regulations on information security Outlines what Massachusetts believes are the key elements of a responsible data security program. Effective Date: March 1, 2010 Will apply to your organization if you interact with any Massachusetts residents Let s take a look
48 Massachusetts Requirements 1. Designation of employee(s) to maintain the program; 2. Identification of foreseeable internal and external security risks; 3. Development of employee security policies; 4. Imposition of disciplinary measures for violations of the program; 5. Prevention of terminated employees access to personal information; 6. Verification of a service provider s internal protection of personal information; 7. Limitation on amount of personal information collected to only information necessary to accomplish the purpose for which it was collected; 8. Identification of personal information maintained; 9. Creation of physical access restrictions to personal information; 10.Regular monitoring and upgrading of the program as necessary; 11.Review of the scope of security measures annually, or as needed; and 12.Documentation of responsive actions taken with any breach.
49 More Massachusetts Requirements Secure user authentication protocols; Secure access control measures; Encrypt all personal information which travels across public networks or is transmitted wirelessly; Monitor systems for unauthorized use; Encrypt all personal information stored on laptops or portable devices; Utilize an up-to-date firewall system; Use current system security agent software; and Educate employees on use of computer security system.
50 Legislative Perspective
51 History of Electronic Health Information Exchange Legislation Initial Interest in Administrative Transactions HIPAA 1996 o Standard Transactions o Standard Code Sets o National Identifiers Need standards for protection of electronic health care information o HIPAA Privacy o HIPAA Security Focus on covered entities plans, providers, clearinghouses
52 Further Interest In Clinical Information Exchange President Bush s Call for EHRs for All Calls for Interoperability Office of the National Coordinator for Health IT National Health Information Network HITSP Standards CCHIT Privacy and Security Concerns Raised by GAO and others
53 Vision of Health Information Exchanges An individual s data can be exchanged among providers electronically. Individuals also have their own personal health records in addition to a provider s electronic health record. Information exchanged thru standard methods. Clear security and privacy protections. Administrative and clinical data are shared seamlessly.
54 Federal Law Along with funding for health information technology, the American Recovery and Reinvestment Act of 2009 (Public Law 111-5, the ARRA ) incorporated a law that significantly updates HIPAA s Privacy and Security Rules. The HITECH Act (the Health Information Technology for Economic and Clinical Health Act, Title XIII of ARRA) is intended to incentivize the modernization of healthcare without any sacrifice to the privacy or security of patients sensitive information. 54