HITECH Omnibus Overview of the Rule

Transcription

1 HITECH Omnibus Overview of the Rule June 14, 2013 OCR Representative: Rachel Seeger WEDI Representatives: Mark Cone and David Ginsberg WEDI SNIP Privacy & Security Workgroup 1

2 Overview of the Omnibus Final Rule and New Educational Tools Rachel Seeger Senior Health Information Privacy Outreach Specialist Office for Civil Rights/HHS OCR/WEDI Omnibus Rule Summer Webinar Series June 16, 2013

3 Omnibus Final Rule/HITECH What s New for Business Associates BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule Liable for Security Rule violations BAs must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule Criminal and civil liabilities for violations BA definition expressly includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities Subcontractors of a BA are now defined as a BA BA liability flows to all subcontractors U.S. Department of Health and Human Services, Office for Civil Rights June 14,

4 Omnibus Final Rule/HITECH What s New for Consumers Right to Electronic Copy of Electronic Health Record Right to direct copy to designated 3d party Prohibition on Sale of PHI without Authorization Marketing Communications Paid for by 3d Party Require Authorization Limited exceptions for refill reminders and current prescriptions Easy Way to Stop Fundraising Communications Right to Restrict Disclosures to Health Plans of Treatment/Services Paid for in Cash U.S. Department of Health and Human Services, Office for Civil Rights June 14,

5 GINA Provisions Requires Genetic Information to be treated as PHI Prohibits Health Plans from using/disclosing genetic information for underwriting purposes Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information U.S. Department of Health and Human Services, Office for Civil Rights June 14,

6 Omnibus Final Rule Non-statutory Provisions Student Immunization Makes it easier for parents to permit providers to release student immunization records to schools Research Allows researchers to use single authorization for more than one research purpose Relaxes policy on authorizations for future research Notice of Privacy Practices Updates required to Notices of Privacy Practices Relaxes distribution requirements for Health Plans Decedent Information Protections limited to 50 years after death Eases access to friends and families U.S. Department of Health and Human Services, Office for Civil Rights June 14,

7 Omnibus Final Rule/HITECH What s New for Breach Harm Standard Replaced New standard impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on a risk assessment of at least: Nature & extent of PHI involved Who received/accessed the information Potential that PHI was actually acquired or viewed Extent to which risk to the data has been mitigated U.S. Department of Health and Human Services, Office for Civil Rights June 14,

8 Omnibus Final Rule/HITECH What s New for Enforcement Makes permanent increased CMP amounts and tiered levels of culpability from 2009 IFR Clarifies Reasonable Cause Tier Willful Neglect cases do not require informal resolution Intentional wrongful disclosures may be subject to civil, rather than criminal, penalties U.S. Department of Health and Human Services, Office for Civil Rights June 14,

9 Enforcement Expectations Complaint Investigation and Resolution (As of December 31, 2012) TOTAL (since 2003) Complaints Filed 77,200 Cases Investigated 27,500 Cases with Corrective Action 18,600 Civil Monetary Penalties & Resolution Agreements (since 2008) $15.2 million U.S. Department of Health and Human Services, Office for Civil Rights June 14,

10 Enforcement Expectations Breach Notification Expect more uniformity in assessing incidents for breach notification purposes Continue to investigate major breaches and identify systemic or significant compliance problems to address by corrective action and resolution agreements Alert for incidents of failure to report particularly if willful neglect is present Looking for ways to incentivize preventative action in most common problem areas U.S. Department of Health and Human Services, Office for Civil Rights June 14,

11 Enforcement Expectations Resolution Agreements Five Resolution Agreements and Corrective Action Plans Negotiated in 2012 ($4.85 million) Two Resolution Agreements and Corrective Action Plans Negotiated in 2013 ($450,000) Expect continued growth and emphasis on significant cases remain small proportion of all the cases we look at Enforcement of compliance with new provisions after September continue to enforce with respect to existing provisions not subject to change U.S. Department of Health and Human Services, Office for Civil Rights June 14,

12 Enforcement Expectations Audit Program Completed Audits of 115 entities 61 Providers, 47 Health Plans, 7 Clearinghouses Total 979 audit findings and observations 293 Privacy 592 Security 94 Breach Notification Smaller entities struggle with all three areas Still assessing need to follow-up on individual auditees Help identify compliance areas of greatest weakness Evaluation underway to guide us in making audit a permanent part of enforcement efforts U.S. Department of Health and Human Services, Office for Civil Rights June 14,

13 Resources for Small Covered Entities and Business Associates Are You a Covered Entity? For Small Providers, Small Health Plans, and Other Small Businesses Summary/Guidance on Significant Aspects of the Privacy and Security Rules Fast Facts for Covered Entities Business Associates FAQs Sample Business Associate Agreement Security Rule Guidance Material Guidance on Risk Analysis Mobile Device Security Communicating with a Patient's Family, Friends, or Others Involved in The Patient's Care FAQs About the Disposal of Protected Health Information Training Materials on the HIPAA Privacy Rule U.S. Department of Health and Human Services, Office for Civil Rights June 14,

14 Learning Opportunities for Free CME and CE Credit OCR has three educational programs for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules. Each of these programs is available with free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals. They are available at Medscape.org: Patient Privacy: A Guide for Providers HIPAA and You: Building a Culture of Compliance Examining Compliance with the HIPAA Privacy Rule U.S. Department of Health and Human Services, Office for Civil Rights June 14,

15 Resources for Consumers Your Health Information Privacy Rights Privacy, Security, and Electronic Health Records Understanding the HIPAA Notice Sharing Health Information with Family Members and Friends HIPAA Videos for Consumers U.S. Department of Health and Human Services, Office for Civil Rights June 14,

16 HITECH Omnibus Overview of the Rule June 14, 2013 OCR Representative: Rachel Seeger WEDI Representatives: Mark Cone and David Ginsberg WEDI SNIP Privacy & Security Workgroup 16

17 Corrective Action Plans The WEDI Privacy and Security Workgroup is publishing a CAP comparative analysis of OCR noted deficiencies The next slides define some of the gaps and deficiencies that were noted in Corrective Action Plans! 17

18 Risk Analysis Failure to conduct a HIPAA Security Risk Analysis Or as noted recently by the Director of the OCR---conducting an insufficient Risk Analysis! 18

19 Training Lack of training prior to exposure to PHI Lack of training on Security procedures including proper remote access/use Lack of training on mobile device access Inadequate training specific to roles/job duties (why a HIPAA 101 won t cut it!) 19

20 Mobile and Portable Device Safeguards Lack of risk analysis and management for use of mobile/portable devices that access/create/maintain/transmit ephi Inadequate or non-existent safeguards and controls for these devices Failure to recognize and implement encryption Secure transmission (PHI texting/ ) 20

21 HIPAA Administrative Privacy and Security Gaps Incident response and reporting policies and procedures Implemented sanctions Workstation use procedures 21

22 HIPAA Physical Privacy and Security Gaps Device Security Facility controls and safeguards Secure handling/transporting of PHI Proper disposal of PHI Proper media controls (storage of unencrypted ephi) 22

23 HIPAA Organizational Privacy and Security Gaps Responding to OCR investigations Business Associate policies/procedures and effective agreements Maintaining up to date, signed, and implemented Policies and Procedures 23

24 Omnibus Updates every CE should be doing If applicable, update your Notice of Privacy Practices Update and implement revised Business Associate Agreements Depending on your compliance requirements, update Policies and Procedures including Breach Notification Train your workforce! 24

25 Taking a Step Back Perform your Security Analysis Gap Assessment Risk Assessment External vulnerability sweep What changes have been made to your business environment since first implementing HIPAA Privacy and Security Rule policies? 25

26 Back to HITECH BA s With additional business types named in HITECH, do you have more BA s? Has the identification of potential entities been a part of your contracting process? The WEDI Privacy and Security workgroup is updating the original BA Decision Tree and posting to the web site 26

27 Notice of Privacy Practices Changes for Individual Rights Marketing Sale of Data??? 27

28 Business Associate Agreements Does your current agreement specifically indicate that the Business Associate must meet all of the Security Rule requirements? Are Privacy requirements being undertaken by the business associate clearly articulated Notification requirements for Breach 28

29 Breach Do you have a Breach Policy? Has your policy been modified to account for the finalized rule? Did you know that civil and criminal monetary penalties have changed from the original rules? 29

30 Mobile Technology Do you allow workforce members to obtain on their phones / ipads / other portable devices? Do you trade information on patients / members via text messaging? Do you have a requirement to password protect the mobile device? 30

31 Vendor Systems Can your software applications handle withholding information if a patient paid in full and makes the request not to share? If not, how will you handle? How does this impact auto-generating a Rx? If Pharmacy, what impact on workflow does this pose for you? 31

32 Key s to Success GAP Analysis Understand where mitigation steps need to be taken Privacy and Security Documentation WRITE IT DOWN Cloud Vendors Private or Public? 3 rd parties working on your behalf OCR and WEDI documents 32

33 Questions / Answers 33

34 Future Webinar s June 28 Drill down on HITECH Privacy Rule Individual Rights: Access, Restrictions and NPP Uses and Disclosures Prohibited Disclosures: For Underwriting / Sale of PHI July 17 Breach and Enforcement Changes to the Breach rule Changes to the Enforcement Landscape July 28 Business Associates Modified definition BA liability Privacy and Security rule provisions applicable to BA 34

35 Thank You for participating in today s webinar. Feel free to utilize the WEDI Privacy or Security Listserv for questions that you may have that were not answered today or to just start a discussion on a topic! 35