1 Attorneys and Other Contractors HIPAA Business Associates in 2014 and Beyond October 18, 2013
2 Presenter Jennifer Orr Mitchell, Esq. Office ^ The information provided in this presentation is an expression of the viewpoints of the author(s) and is not intended to constitute nor should it in any way be construed as legal advice or a definitive statement of the law in any jurisdiction.
3 We will be covering Attorneys as HIPAA Business Associates HIPAA Privacy and Security Rules Recent Amendments HITECH and Omnibus Final Rule HIPAA Penalties Breach Notification Rule & Encryption Attorneys Use of Mobile Devices Enforcement Trends and Examples Best Practices
4 Five Principles of Fair Information Practices Underlying the HIPAA Rules Openness (Notice) The existence and purposes of record-keeping systems should be publicly known. Individual Participation (Access) The individual should have the right to see his or her records and assure the quality of the information contained in those records (accurate, complete, and timely). Security There should be reasonable safeguards in place for protecting the confidentiality, integrity, and availability of information.
5 Five Principles of Fair Information Practices Underlying the HIPAA Rules Accountability (Enforcement) Violations of the rules should result in reasonable penalties and mitigation is critical if a violation occurs. Limits on Collection, Use and Disclosure (Choice) Information should be collected only with the knowledge and consent of the individual Information should be used only in ways that are relevant for the purposes for which the information was collected. Information should be disclosed only with consent/notice or authority.
6 What is HIPAA -- Overview HIPAA = The Health Insurance Portability and Accountability Act of 1996 We will discuss two primary HIPAA regulations: Privacy Rule Security Rule Both rules apply to Covered Entities and their Business Associates
7 What is HIPAA -- Overview The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in HIPAA was intended to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange. Under HIPAA s Privacy and Security Rules, Covered Entities must take steps to secure and prevent the unauthorized disclosure of certain types of individually identifiable patient information known as Protected Health Information ( PHI ), including electronic Protected Health Information (ephi). HITECH (The Health Information Technology for Economic and Clinical Health Act), effective February 2009, significantly expanded the privacy and security requirements of HIPAA and put teeth into HIPAA enforcement through increased penalties and new enforcement mechanisms. One of the most significant changes under HITECH, which was reinforced under the Omnibus Final Rule, is the direct regulation of Business Associates.
8 Covered Entities Health Care Providers (if they transmit data in electronic form in connection with a transaction covered under HIPAA) Health Plans (including employer sponsored group health plans) Applies to all group health plans, both self-insured and fully funded, with > 50 participants Applies to all group health plans with < 50 participants unless self-administered Employers: Your health plan is covered is it compliant? Health Care Clearinghouses Workforce of a covered entity are required to comply with HIPAA Do not have to be employees of the covered entity, can include contractors, volunteers, etc.
9 Business Associates Any entity that creates, receives, maintains, or transmits (emphasis added) PHI in performing a function, activity, or service on behalf of a covered entity. Examples: billing companies, accountants, insurance agents/brokers, payroll vendors, consultants, data processing firms, cloud providers, records storage, and ATTORNEYS. Any entity that gets PHI to do something for a Covered Entity, including providing legal advice. BAs are required to agree to protect PHI the same way CEs do; otherwise, CEs cannot continue to do business with them
10 Attorneys as Business Associates Attorneys are included as Business Associates under the HIPAA Privacy Rule: 45 C.F.R Any non-employee who "provides legal services to or for such covered entity where the provision of the services involves disclosure of individually identifiable health information " There are differing viewpoints as to when the Privacy Rule applies to attorneys representation of their Covered Entity clients (e), Final Rule Preamble: "The provisions in this paragraph are not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information. In such cases, we presume that parties will have ample notice and an opportunity to object in the context of the proceeding in which the individual is a party."
11 Attorneys as Business Associates The HITECH Act made the Business Associate provisions of the Privacy Rule and certain Security Rule provisions directly and specifically applicable to Business Associates, including penalties for noncompliance. The Omnibus Final Rule confirmed this application. Privacy Rule Most attorneys and law firms already have good measures in place for dealing with confidential information Need to support these measures with written policies and procedures and review for compliance
12 Attorneys as Business Associates Security Rule Attorneys must reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI they receive, create or maintain electronically pursuant to their legal representation of a Covered Entity. Attorneys and Law Firms must take measures to address the following Security Rule requirements: Documentation of Policies and Procedures Administrative Safeguards Physical Safeguards Technical Safeguards
13 When is an Attorney a Business Associate? Attorneys who do not technically practice health care law often think they are not subject to HIPAA privacy and security obligations when they receive PHI from their covered entity clients. Attorney may be a BA: Privacy or Security Rule compliance support for CEs Fraud and abuse/false claims defense Health care professional discipline defense, payment disputes, advice on compliance, risk management, peer review, accreditation, licensing Representing a CE or BA in audits or governmental investigations Due diligence for some types of CE transactions Representing a CE in any case involving individual patient diagnosis or treatment Representing a CE in any case involving individual health benefits Representing a CE or a BA in enforcing a restrictive covenant against an employee who is soliciting patients of the covered entity or who has disclosed patient data to a new employer Representation in the sale or purchase of a CE or BA and have access to a patient list or a detailed list of accounts receivable Antitrust representation to define relevant market in restraint of trade case
14 When is an Attorney a Business Associate? Attorneys who do not technically practice health care law often think they are not subject to HIPAA privacy and security obligations when they receive PHI from their covered entity clients. Attorney may NOT be a BA: When it is representing any party which is not a CE, including individual plaintiffs In workers compensation cases (excluded by statute) In Social Security cases. In employment law matters, except for representation of group health plans or matters involving health care entities disclosing PHI to their attorneys to defend the litigation (because the individual has not put his/her medical condition at issue in an employment case). Sources:
15 When is an Attorney a Business Associate? Attorney is LIKELY a BA: (My List): Federal or state regulatory compliance and/or defense against an enforcement action (e.g., HIPAA, Medicare/Medicaid, fraud and abuse, etc.) Audit or investigation relating to actual or potential governmental or whistleblower complaints Pre-suit ERISA or other claims for health plan benefits Transactional work of any nature involving access to patient medical or financial information (e.g., billing, medical records, accounts payable, accounts receivable, pending or threatened litigation, etc.) Pre-suit employment investigation or advice where you had reason to access patient information (other than information contained in the employee s own employment file) Risk management or pre-suit handling of medical or personal injury claims Professional licensing board, credentialing, or other administrative matters Responding to subpoenas requesting patient information in any form
16 When is an Attorney a Business Associate? Attorneys and law firms should be able to recognize when they are (or could be considered) Business Associates and take the appropriate steps to comply with the HIPAA privacy and security rule provisions applicable to Business Associates. Non-compliance can lead to steep fines and government investigations, as well as potential loss of an attorney s or client s reputation. Given the risks associated with non-compliance, attorneys should consult with health care attorneys and other HIPAA experts (either within or outside their law firms) for advice on their compliance obligations and the implementation of HIPAA-compliant privacy and security programs. Source:
17 Business Associate Agreement Basics The BAA should include: Permitted uses/disclosures of PHI by BA Prohibited uses/disclosures of PHI by BA Requirement that BA use appropriate safeguards administrative, physical technical to protect ephi Requirement that BA report security incidents Ensure subcontractors agree to step in shoes of BA Make PHI available to CE for access, amendment, accounting of disclosures Make BA internal practices, books, records available to HHS for review to determine compliance Provision for return/destruction/escrow of PHI upon termination Authorize termination if material violation of BAA Security breach notification requirements HITECH/Omnibus Rule Minimum necessary requirement -- HITECH Security Rule compliance requirement HITECH Audit requirements -- HITECH
18 Business Associate Agreement Basics Indemnification Largely due to potential exposure under the Breach Notification Rule, CEs and BAs are including or attempting to include indemnification provisions in their BAAs These provisions should be carefully considered prior to execution of any BAA by both sides
19 HHS Guidance -- FAQs 1: Attorney disclosure of PHI to agents and/or subcontractors: The business associate agreement between the covered entity and the lawyerbusiness associate provides that the lawyer will ensure that any agents, including subcontractors, to whom it provides protected health information agree to the same restrictions and conditions that apply to the business associate with respect to the information. See 45 CFR (e)(2)(ii)(D). Thus, if a lawyer-business associate enlists the services of a person or entity in furtherance of the lawyer s legal services to a covered entity, and the lawyer must provide protected health information to the person or entity for such purpose, the lawyer s business associate agreement with the covered entity requires that the lawyer ensure that these persons agree to the same restrictions and conditions with respect to the protected health information they receive that apply to the lawyer as a business associate.
20 HHS Guidance -- FAQs 1: Attorney disclosure of PHI to agents and/or subcontractors (continued): For example, pursuant to its business associate agreement, a lawyer must ensure that other legal counsel, jury experts, document or file managers, investigators, litigation support personnel, or others hired by the lawyer to assist the lawyer in providing legal services to the covered entity, will also safeguard the privacy of the protected health information the lawyer receives to perform its duties. Conversely, a lawyer-business associate need not ensure that opposing counsel, fact witnesses, or other persons who do not perform functions or services that assist the lawyer in performing its services to the client, agree to the business associate restrictions and conditions, even though the lawyer may have to disclose protected health information to these third parties.
21 HHS Guidance -- FAQs 2: Sharing of PHI by CE with its Attorney for use in litigation Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of health care operations at 45 CFR includes a covered entity s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity s covered functions (i.e., those functions that make the entity a health plan, health care provider, or health care clearinghouse). Thus, for example, a covered entity that is a defendant in a malpractice action, or a plaintiff in a suit to obtain payment, may use or disclose protected health information for such litigation as part of its health care operations.
22 HHS Guidance -- FAQs 2: Sharing of PHI by CE with its Attorney for use in litigation (continued) The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR (b), (d). In most cases, the covered entity will share protected health information for litigation purposes with its lawyer, who is either a workforce member or a business associate. In these cases, the Privacy Rule permits a covered entity to reasonably rely on the representations of a lawyer who is a business associate or workforce member that the information requested is the minimum necessary for the stated purpose. See 45 CFR (d)(3)(iii)(C). A covered entity s minimum necessary policies and procedures may provide for such reasonable reliance on the lawyer s requests for protected health information needed in the course of providing legal services to the covered entity.
23 HHS Guidance -- FAQs 2: Sharing of PHI by CE with its Attorney for use in litigation (continued) In disclosing protected health information for litigation purposes, the lawyer who is a workforce member of the covered entity must make reasonable efforts to limit the protected health information disclosed to the minimum necessary for the purpose of the disclosure. Similarly, a lawyer who is a business associate must apply the minimum necessary standard to its disclosures, as the business associate contract may not authorize the business associate to further use or disclose protected health information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. Depending on the circumstances, this could involve de-identifying the information or stripping direct identifiers from the information to protect the privacy of individuals, and may in some cases limit disclosures more significantly than would be required to meet a relevance standard. Further, whether as workforce members or business associates, lawyers may consider availing themselves of the protections routinely afforded to similarly confidential information within the litigation forum, such as protective orders on the use of the information in public portions of the proceedings.
24 HHS Guidance -- FAQs 3: Accounting for disclosures of PHI made during the course of litigation Individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity (or its business associate), with certain exceptions. These exceptions, or instances where a covered entity is not required to account for disclosures, include disclosures for treatment, payment, or health care operations and disclosures authorized by the individual. See 45 CFR (GPO). Disclosures that are subject to the accounting for disclosures requirement include disclosures made by a covered entity that is not a party to the litigation or proceeding and that are made: as required by law (under (a) and (e)(1)(i)); for a proceeding before a health oversight agency (under (d)); or in response to a subpoena, discovery request, or other lawful process (under (e)).
25 HHS Guidance -- FAQs 3: Accounting for disclosures of PHI made during the course of litigation (continued) Conversely, covered entities need not account for disclosures of protected health information for litigation that are made with the individual s authorization or, in cases where the covered entity is a party to the litigation, when such disclosures are part of the covered entity s health care operations. In many cases, covered entities share protected health information for litigation purposes with a lawyer who is a business associate of the covered entity. These disclosures by a covered entity to its lawyer-business associate are not themselves subject to the accounting. However, if (as described above) the lawyer makes disclosures that are subject to the accounting requirement, the business associate agreement required by the Privacy Rule should provide that the lawyer-business associate make information about these disclosures available to the covered entity, so that the covered entity can fulfill its obligation to provide an accounting to the individual. Alternatively, the covered entity and the lawyer can agree through the business associate contract that the lawyer will provide the accounting to individuals who request one.
26 Privacy and Security Privacy is the individual s right over the use and disclosure of his or her protected health information (PHI), and includes the right to determine when, how, and to what extent PHI is shared with others. The Privacy Rule grants rights to individuals for accessing and controlling the use/disclosure of their PHI. Security is the specific measures a health care entity must take to protect PHI from any unauthorized breaches of privacy, such as if information is stolen or provided to the wrong person in error. It also includes measures taken to ensure against the loss of integrity of PHI, such as if a patient s records are lost or destroyed by accident. HIPAA requires general security measures that are both reasonable and appropriate.
27 HIPAA Privacy Rule Protects all PHI (protected health information), which includes just about any piece of information that might possibly identify a person, in any form, including oral information Grants individuals broader rights in their PHI: access amendment disclosure accounting restrictions confidential communications Has been in effect since April 2003
28 The Privacy Rule THE RULE: Covered Entities are prohibited from using or disclosing PHI unless a Privacy Rule exception applies. THE LANGUAGE: A covered entity may not use or disclose protected health information [PHI], except as permitted or required by this subpart or by subpart C of part 160 of this chapter. [45 CFR ]
30 The Privacy Rule Protected Health Information (PHI) information created or received by a health care provider, health plan, or health care clearinghouse ( covered entities ); relating to past, present, or future health of an individual, provision of health care, or payment for health care; either identifies the individual or provides a reasonable basis for identification; in all forms (oral, written, electronic) PHI includes ephi, which is also covered more specifically by the Security Rule Exceptions: employment records, education records covered by FERPA, and records covered by other federal law.
31 The Privacy Rule It is important to understand that whether data is PHI depends on the source and how it was obtained. The same data can be PHI in one context and not in another. Did the data come from a covered entity? Was the information provided to assist the CE with its health care operations? (as opposed to information contained in HR/employment files or worker s comp files, for example) Does the information relate to past, present, or future health of an individual, provision of health care, or payment for health care? PHI provided pre-suit can arguably lose its status as PHI once a lawsuit is filed by the patient who is the subject of the information, putting his/her medical condition at issue; it would then depend on when the use or disclosure occurred.
32 The Privacy Rule PHI includes the following 18 identifiers: 1. names 2. all geographic subdivisions smaller than a State (street address, city, county, precinct, zip code) 3. All elements of dates (except year) for dates related to the individual (birth date, admission date, discharge date, date of death, prescription dispense date, etc.) 4. Telephone numbers 5. Fax numbers 6. addresses 7. SSNs 8. Medical records numbers (including, prescription numbers) 9. Health plan beneficiary numbers
33 The Privacy Rule 10. account numbers 11. certificate/license numbers 12. vehicle identifiers, serial numbers, license plate numbers 13. device identifiers and serial numbers 14. URLs 15. IP address numbers 16. Biometric identifiers (finger and voice prints) 17. Full face photographs (and comparable images) 18. Catch-all: any other unique number, characteristic, or code that might possibly identify a person So, in terms of information contained within medical and billing records, this really includes nearly every piece of useful information.
34 The Privacy Rule Key Permitted Uses & Disclosures: To the Individual For Treatment, Payment and Health Care Operations (TPO) Pursuant to an Authorization As Required by Law To Business Associates For Public Health Activities To Health Oversight Agencies Concerning Decedents To Organ Procurement Organizations For Research Purposes In a Limited Data Set For Fundraising and Underwriting
35 The Privacy Rule Minimum Necessary Rule When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
36 The Privacy Rule There are 6 Exceptions to the Minimum Necessary Rule: Disclosures for Treatment Disclosures to the Individual Disclosures pursuant to an Authorization Disclosures to DHHS for Enforcement Disclosures Required by Law Disclosures required for compliance with the Privacy Rule
37 The Privacy Rule Incidental Uses and Disclosures The Privacy Rule explicitly permits certain incidental uses and disclosures that occur as a by-product of a use or disclosure otherwise permitted under the Privacy Rule. An incidental use or disclosure is permissible only to the extent that the covered entity has applied reasonable safeguards and implemented the minimum necessary rule, where applicable.
38 The Privacy Rule Authorizations Specific elements are required for it to be effective. For example: plain language, right to revoke, specific description of information to be used or disclosed, identification of person or entity to whom information to be disclosed termination date
39 The Privacy Rule Notice of Privacy Practices (NPP): Sets forth the uses and disclosures that will be undertaken by the covered entity and its business associates. An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the covered entity, and of the individual s rights and the CE s legal duties regarding PHI. Specific requirements for what must be contained in the NPP are set out in the Privacy Rule. There are specific rules for distributing, posting, and providing access to the NPP OCR has recently issued a new sample NPP for use by health care providers and health plans Employers: Did you update your health plan NPPs in September 2013? You should have!
40 The Security Rule The Security Rule mandates safeguards for Electronic PHI (or ephi ). Security safeguards were already required by the Privacy Rule. The Security Rule provides more guidance as to the nature and function of each individual safeguard. Has been in effect since April 2005.
41 The Security Rule RULE: All covered entities and their business associates are required to develop and document a security program to guard against real and potential threats of disclosure or loss, which will include policies, procedures and safeguards to protect Electronic PHI (or ephi).
42 The Security Rule Safeguards 1. Administrative Safeguards Administrative actions, policies and procedures related to security measures Managing conduct of workforce in protecting ephi Risk analysis, risk management, appoint security officer, employee training, etc. ADMINISTRATIVE SAFEGUARDS Security Management Process 45 CFR (a)(1) (required) Assigned Security Responsibility 45 CFR (a)(2) (required) Workforce Security 45 CFR (a)(3) (addressable) Information Access Management 45 CFR (a)(4) (addressable) Security Awareness and Training 45 CFR (a)(5) (addressable) Security Incident Procedures 45 CFR (a)(6) (required) Contingency Plan 45 CFR (a)(7) (required) Evaluation 45 CFR (a)(8) (required) Business Associate Contracts and Other Arrangements 45 CFR (b) (required)
43 The Security Rule 2. Physical Safeguards Focused on preventing unauthorized individuals from gaining access to EPHI Protecting buildings and equipment from unauthorized access, disasters and hazards Limiting physical access to information systems and addressing security needs of workstations and computers PHYSICAL SAFEGUARDS Facility Access Controls 45 CFR (a)(2) (addressable) Workstation Use 45 CFR (b) (required) Workstation Security 45 CFR (c) (required) Device and Media Controls 45 CFR (d) (required)
44 The Security Rule 3. Technical Safeguards Technology and the policies and procedures for its use that protect ephi and control access to ephi Address electronic transmission of ephi and access control mechanisms TECHNICAL SAFEGUARDS Access Control - 45 CFR (a)(1) (addressable); (a)(2) (required) Audit Controls - 45 CFR (b) (required) Integrity - 45 CFR (c)(1) (N/A) Person or Entity Authentication - 45 CFR (d) (required) Transmission Security - 45 CFR (e)(1) (N/A)
45 The Security Rule Implementation Specifications Required v. Addressable required specifications addressable specifications CEs and BAs (after HITECH) must assess whether a specification is reasonable and appropriate If reasonable and appropriate, the CE or BA must implement the specification If not applicable, the CE or BA must document the decision not to implement the specification, reason, and how the standard is otherwise being met.
46 The Security Rule - OCR FAQ What is the difference between addressable and required implementation specifications in the Security Rule? Answer:.The covered entity [or business associate] must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity [or business associate] must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity's risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity [or business associate] makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.
47 The Security Rule Some key areas of security concerns: unprotected Internet web browsing and cookies Authentication networks/firewalls lack of physical security hackers/phishing/other illegality internal mischief/disgruntled employees data sharing encryption (or lack thereof)
48 The HITECH Act Health Information Technology for Economic and Clinical Health Act (HITECH Act) February 17, 2009 Most significant changes to HIPAA since issuance of the Privacy and Security Regulations.
49 The HITECH Act Included $20 billion in funding for healthcare information technology projects Extended the reach of the HIPAA Privacy and Security Rules and penalties to directly Business Associates Increased enforcement, of and penalties for, HIPAA violations: Formal investigations of complaints State AGs can bring civil actions in federal court Increased penalty amounts Imposed breach notification requirements on CEs and BAs Clarified minimum necessary standard (sort of) Limited certain uses and disclosures of PHI More accounting responsibilities for uses/disclosures of PHI Increased individuals rights with respect to PHI maintained in electronic health records (EHRs) Periodic HHS audits of HIPAA compliance (KPMG audits underway) Remuneration in exchange for PHI prohibited (with some limited exceptions) Marketing/fundraising restrictions tightened Required BAs to enter into Business Associate Agreements with subcontractors and monitor compliance BA must terminate contract if compliance issues cannot be cured
50 The HITECH Act Section-by-Section Sec Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions. Sec Notification in the case of breach. Sec Education on health information privacy. Sec Application of privacy provisions and penalties to business associates of covered entities. Sec Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format. Sec Conditions on certain contacts as part of health care operations. Sec Temporary breach notification requirement for vendors of personal health records and other non-hipaa covered entities. Sec Business associate contracts required for certain entities. Sec Clarification of application of wrongful disclosures criminal penalties. Sec Improved enforcement. Sec Audits.