HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Transcription

1 HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1

2 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information (PHI) Patient Access to Electronic Health Records Business Associates (BAs) Security Rules PHI Breaches + Notification Audits, Consequences + Penalties Avoiding HIPAA Consequences Surviving a HIPAA Audit MicroMD HIPAA Compliance + Support HIPAA Resources 2

3 History of the Omnibus Rule Health Insurance Portability and Accountability Act (HIPAA) of 1996 Before HITECH, Business Associates (BAs) regulated through Business Associates Agreements (BAAs) Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 After HITECH, BAs and subcontractors regulated directly by HIPAA Omnibus Rule 2013 Therefore, must comply with Security Rules and some Privacy Rules and provisions of BAA 3

4 HIPAA Stats: 2009 to 2012* 538 PHI breaches (21M+ health records) 67% of breaches are a result of theft or loss 57% of patient record breaches involved a BA 38% a result of unencrypted laptop or other portable electronic device *Breaches impacting greater than 500 individuals as reported to HHS Aug 2009 to Jan

5 Rule Overview Changes to Personal Health Information (PHI) Patient access to electronic PHI (Tie to MU reqs) New requirements for Business Associates and their Subcontractors Defines new Security Requirements (Not enough to just do the audit; now need to take steps Tie to MU reqs) Updated definition of PHI Breach, how to asses breach level and notification Outlines penalties 5

6 Use of Personal Health Information (PHI) Limitations on use of PHI for marketing + fundraising purposes Prohibits sales of PHI without individual authorization to do so Broadens patient ability to restrict disclosure of PHI to health insurance, for instance when a patient pays cash 6

7 Patient Access to Electronic Health Record Expands patient rights to request + receive electronic copies of their health record Ties into Meaningful Use (MU) Stage 1 Core Objective 12: More than 50 percent of all unique patients seen by the EP during the EHR reporting period are provided timely (within 4 business days after the information is available to the EP) online access to their health information subject to the EP's discretion to withhold certain information. Stage 2 Core Objective 7: Provide patients the ability to view online, download and transmit their health information within 4 business days of the information being available to the EP. 7

8 Business Associates (BAs): Why the changes? Before HITECH, management of PHI was loosely defined; law required to use appropriate safeguards No established standards No way to validate standards were being followed Laptops don t always have encrypted discs Users often disable or don t update virus protection Covered Entities (CEs) with limited IT resources Increasing EMR adoption 8

9 Business Associates (BAs): Definition Person s who, on behalf of a Covered Entity (other than the Covered Entity s workforce) perform or assist in performing a function or activity that involves the use of disclosure of individually identifiable health information, or that otherwise is regulated by HIPAA. IT equipment, support + software vendors Leasing firms Data centers Cloud computing providers Telephony + answering service vendors Shredding vendors Billing services Transcription services Collection services Temporary employment agencies 9

10 Business Associates (BAs): Omnibus Impact Extends requirements for privacy and security rules to physician BAs and their subcontractors HHS Secretary authorized to receive complaints and take action against BAs and subcontractors BAs and subcontractors required to maintain own records and provide HHS access to info BAs and subcontractors subject to civil money penalties for violations BAs and subcontractors liable under contract to Covered Entity (CE) and BA 10

11 Business Associates (BAs): Must Document Risk Analysis Continuity Plan Security Practices and Procedures Incident Response Plan (Breaches) Records Disposal Procedure for Electronic Media and Paper Records Employee Training Program Termination Procedures Audit Logs 11

12 Business Associates (BAs): Must Protect data + uphold privacy and security measures Restrict access to PHI via password Secure servers; limit access Receive and forward data automatically 128-bit encryption for reports Restrict PHI to need to know Automatic password expiration Store archives and backup in fireproof safe Mandatory HIPAA training Monitored security system Automated, securely-stored data backups Automated virus checks Properly dispose of data Delete data from BA systems at end of BA Not retain paper copies 12

13 Business Associates Agreement (BAA): Elements Specifies Purpose for use of PHI Functions, activities or services doing for CE BAs agree to Not to use PHI outside of requirements Use appropriate safeguards Mitigate disclosure that violates BAA Report disclosures to CE Document disclosures 13

14 Business Associates Agreement (BAA): Elements Designates BA may use PHI for data aggregation BA may use PHI to report violations of law Notification of BA changes in PHI disclosure procedures Notification of BA of PHI use or disclosure Term and termination provision Provision that BAA applies to subcontractor BA returns or destroys PHI; retain no copies (Or, if return not feasible, specify conditions) 14

15 Business Associates (BAs): Violations HITECH deems a BA to violate HIPAA if BA Knows of a pattern of activity of practice Breaches their Business Associates Agreement (BAA) BA fails to cure the breach, terminate the BAA or report the non-compliance 15

16 Security Rules BAs + Subcontractors should already have in place security practices that either comply with the HIPAA Security Rule, or that only require modest improvements to come into compliance CEs and BAs must review and modify security measures to ensure the continued provision of "reasonable and appropriate" protection of PHI Specifies that the BA secure assurances of adherence from Subcontractors, not the CE Subcontractor of a BA must report security incidents, including breaches, to its BA 16

17 PHI Breaches + Notification Defines that improper use or disclosure of PHI should be considered a breach that would trigger official notification requirements unless the organization in question carries out a risk assessment and determines otherwise Applies to unsecured PHI not rendered unusable, unreadable or indecipherable 17

18 PHI Breaches + Notification Changes definition for required notification of breaches 2009: Requirement was to notify of a breach if there was significant risk of harm to the individual 2013: Any acquisition, access, use or disclosure of PHI that is not permitted under HIPAA is deemed a breach, unless the covered entity or Business Associate can demonstrate, using a 4-factor assessment, that there is a low probability that PHI has been compromised Used to be the risk of harm was the threshold when determining a breach occurred Now the Office for Civil Rights (OCR) uses presumption of a breach as the threshold, making it more likely to be required to notify of a PHI breach 18

19 Common Breaches Impermissible use and disclosure of PHI Lack of safeguards of PHI Lack of patient access to PHI Complaints about the CE to HHS 19

20 Breach Notification: Assessment 4 factors must be assessed 1. Nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI was actually acquired or viewed 4. Extend to which the risk to the PHI has been mitigated If assessment of factors fails to show a low probability that the PHI has been compromised, breach notification is required 20

21 Breach Notification: Examples Example 1: A laptop computer was stolen and recovered, and analysis shows the PHI on the computer was never accessed, viewed, transferred, acquired or compromised in any way Example 2: Credit card numbers and social security numbers were included on the laptop, and analysis shows the data was transferred 21

22 Breach Notification: Obligations Notify impacted individuals written in plain language by written notice by first class mail (or if agreed by individual) to include: Description of how breach occurred Date of breach + breach discovery Description of compromised PHI (Data fields) Steps individuals can take to protect themselves from resulting harm Steps CE is taking to resolve and protect against further breaches Contact info of the Privacy Officer Also notify by phone or other means for urgent situations Minors: Notify parent or designated guardian Diseased: Notify next of kin Disclosure of SSN: Check with state 22

23 Breach Notification: Obligations Notify Secretary of HHS Breaches involving more than 500 individuals - Submit notification online: - No later than 60 days after discovery Breaches involving less than 500 idividuals - Should be documented and submitted annually to HHS - Documentation of breaches should be maintained for 6 years from the last breach Notify media If involves more than 500 residents of state or jurisdiction Must be prominent media outlet No later than 60 days after discovery 23

24 Audits, Consequences + Penalties Violation Civil Money Penalties per Violation All Violations in a Calendar Year Did Not Know $100 to $50K $1.5M Reasonable Cause $1K to $50K $1.5M Willful Neglect: Corrected $10K to $50K $1.5M Willful Neglect: Not Corrected $50K $1.5M 24

25 Avoiding HIPAA Consequences Read the full rule Modify and redistribute your individual Notice of Privacy Practices Amend BAAs to add security and privacy provisions and reissue for signature Do a test run before ever encountering a breach Complete a Security Risk Assessment Identify gaps + fix Document policies + procedures Create an action plan for breaches Conduct regular internal audits Have your BAAs handy; alert your BAs Establish audit reports, schedule + print Train staff 25

26 Surviving a HIPAA Audit Audits have been rare; tend to occur with breach notification Initial document request period: 10 days Audits process entails: Site visit: Interview stakeholders and exam of health information systems Site audit report: Physical safeguards, daily operations, adherence to policies and HIPAA compliance Remediation: Identify gaps and prioritize fixes; CEs should start immediate good faith effort If you ve prepared + documented it, you ll show a good faith effort 26

27 MicroMD HIPAA Compliance + Support BAAs Secure signed BAAs from each client Provide you with a signed BAA from MicroMD Secure signed BAAs from each MicroMD vendor + subcontractor HIPAA Compliance Officer: Linda Spinelli: Maintain HIPAA-compliant Policies Procedures Training Security Encrypted HIPAA-compliant data security for MicroMD Cloud data center Offer HIPAA-compliant ebackup service for non-cloud data back up Auditing Audit logs to track and document HIPAA-related items Client Support for questions regarding audit documentation 27

28 HIPAA Resources Federal Register HIPAA Final Rule, Jan 2013: (138 Pages) HIPAA Survival Guide: AMA Summary: https://download.amaassn.org/resources/doc/washington/x-pub/hipaa-omnibus-finalrule-summary.pdf 28

29 HIPAA Omnibus Rule Practice Impact 29