1 HIPAA in an Omnibus World Presented by
2 HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters you should consult with your own legal counsel or advisors. HITECH Compliance Associates are not attorneys and do not have an attorney on staff. All recommendations, procedures, etc. are made by HITECH.HIPAA certified specialists and conform to the standards as outlined by the National Institute for Standards and Technology, HHS, CMS and OCR.
3 Known by Many Names The Omnibus Rule The HIPAA MegaRule of 2013 The Final Rule This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. Leon Rodriguez, Director Office of Civil Rights
4 Published in the Federal Register on January 25, Took effect on March 26, Compliance required on September 23, 2013.
5 The Omnibus Rule is comprised of the following 4 rules: 1. Final modifications to the HIPAA regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the HIPAA rules; 2. Final rule adopting changes to the HIPAA Enforcement Rule; 3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act; and 4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act of 2008 (GINA).
6 Why Should I Take Compliance Seriously Now? OCR Director Rodriguez was clear in his statement yesterday: "This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates."
7 1 2 3 Avoid Willful Neglect Know & Comply with Patient s Privacy Rights Avoid Breach of 500 Records
8 Willful Neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
9 Willful Neglect 1. Not Performing Risk Assessments on a Regular Basis 2. Not Having a Complete Set of Policies and Procedures a. Privacy Rule b. Security Rule 3. Not Training Your Staff on Your Policies and Procedures
10 RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. In the words of the OCR In Summary, Risk analysis is the first step in an organization s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-phi.
11 Five Elements of Risk Analysis (Risk Assessment) 1. Identify and characterize the assets that need protection, including the databases, the applications, etc. 2. Analyzing the relevant threat data focusing on what could adversely affect the assets (ephi) in this case. 3. Modeling the potential losses that could result from the threat actually materializing. 4. Finding the existing vulnerabilities in the current security situation that would increase the odds of the loss actually occurring. 5. Developing appropriate controls to reduce potential loss, reduce existing vulnerabilities and make sure the controls are cost effective.
12 Top Myths of Security Risk Analysis Security Risk Analysis is optional for small providers. Simply installing a certified EHR fulfills the security risk analysis MU requirement. A checklist will suffice for the risk analysis requirement. My security risk analysis only needs to look at my EHR.
13 Privacy Rule Since 2003 Security Rule Since 2005
14 These Are Your Patient s Rights Every Patient Complaint That Comes Into The HHS/OCR Web Site Is Investigated. Over 77,000 In The Past 10 Years.
15 Access to Protected Health Information If an individual requests protected health information that is maintained electronically in a designated record set, the Omnibus Rule provides that the covered entity must provide the individual with electronic access in a form and format requested by the individual, if the information is readily producible in such format. Must also send electronic records if you have the capability to do so. Disclose and document risk accepted..
16 Access to Protected Health Information Faxing and ing of Patient Records
17 Right to REQUEST Amendment The Privacy Rule grants individuals the right to request amendments to their protected health information. If the physician agrees with the request, add an amendment to the record. If the record is deemed to be correct your office can deny this request. You must send the patient a letter stating the reason for the denial. HIPAA gives the patient a right to submit a brief statement of disagreement allowing them to give the reasons they feel their medical records are not accurate or complete.
18 Right to REQUEST Confidential Communications Again, this is a request; however the law states that your practice must accommodate reasonable requests. Without a process in place your office will most likely violate the patient s request and risk a complaint with HHS.
19 Accounting of Disclosures Patients have the right to receive an accounting of disclosures, for the past 3 years. You are not required to provide disclosures for payment, treatment or healthcare operations. These are considered routine disclosures. However you must track and disclose upon request nonroutine disclosures such as state mandated reporting, tissue donation purposes, disclosures required by law (victims of crime, gunshot wounds, court ordered warrant, faxing information to the wrong location and any disclosure of patient information outside of need to know.
20 Request For Restrictions Restriction requests made by patients should be honored when possible, but are not required under HIPAA.
21 Request For Restrictions Covered entities must agree to restrict disclosures of protected health information about the individual if the disclosure is for payment or healthcare operations purposes, is not required by law, and the protected health information pertains solely to a healthcare item or service for which the individual, or someone on the individual's behalf other than the health plan, has paid the covered entity in full. Questions?? Must keep records hidden from chart review. Patient must sign new request each visit. How do you share files without risking exposure?
22 Notice of Privacy Practices The Privacy Rule identifies certain information that must be included in a covered entity s NPP, including a statement advising individuals that any use or disclosure of PHI other than those permitted by the Privacy Rule will be made only with written authorization of the individual, and that the individual has the right to revoke an authorization.
23 Notice of Privacy Practices Fundraising. If the covered entity uses PHI for fundraising, its NPP must inform individuals that they have the right to opt out of fundraising solicitations and explain the process for the opt-out right. Marketing. Covered entities NPP now must contain a statement indicating that uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require an individual s written authorization. Use or Disclosure of Psychotherapy Notes. The NPP must inform the individual that an authorization is required if the covered entity intends to use or disclose psychotherapy notes. Breach Notice. The NPP must inform individuals of the covered entity s obligation to notify them following a breach of their unsecured protected health information. Right to Request Restrictions for Disclosures Related to Self-Payment. The NPP must include a statement that the covered entity is required to comply with a request not to disclose health information to a health plan for treatment where the individual has paid in full out-of-pocket for a health care item or service.
24 Notice of Privacy Practices Post Notice of Privacy Practices You May Post Summary of Privacy Practices Only if the full copy is nearby. OCR states it is too burdensome to have the patient request a copy from the receptionist.
25 The Minimum Necessary Standard, is a key protection of the HIPAA Privacy Rule. It is based on accessing or disclosing protected health information only when it is medically necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities and business associates evaluate their practices to enhance safeguards that limit unnecessary or inappropriate access to and disclosure of protected health information. Minimum necessary and proper safeguards are required for the incidental disclosure rule.
26 New Limitations On PHI Disclosure Limits on Fundraising and Marketing Fundraising communications must include a clear and conspicuous opportunity to opt out of receiving further communications. Marketing: The financial remuneration received by the covered entity must be reasonably related to the covered entity's costs associated with making the communication. The sale of PHI must have authorization by the patient before being sent.
28 The Value of Your Records Medical Identity Theft IRS Tax Refund Fraud Medicare Fraud
29 Culture of Compliance Compliance down to workstation. Regular Patching Reviews Passwords Encryption
30 Mobile Devices Best Practices 4 Digit PIN Wipe after 10 failed passcode attempts Remote wipe capability Never store over 500 text messages with PHI Be Careful with access to EHR (User&Password)
31 ENCRYPTION New Guidelines Option 1 Encrypt all devices. Option 2 Have a documented plan in place to encrypt all devices.
32 Windows XP All Windows XP computers must be upgraded by April 8 th of No more security updates by Microsoft.
33 Do Not Forget About Your Copier Hard Drives. Affinity Health Plan estimated that up to 344,579 individuals may have been affected by this breach. OCR s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ephi) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents. In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ephi.
34 Compliance is Your Ongoing Job. Build a Culture of Compliance within Your Organization. Idaho State University who agreed to pay $400,000 in May stemming from an incident where it disabled its firewall protections for nearly one year, compromising the protected health information of 17,500 patients.
35 Specific to Your Policies and Procedures Role Specific Before Given Access to PHI or ephi Reminders throughout the year. Document
36 OCR HIPAA Audit Findings 1) Systems are not being monitored. 2) Practices are not implementing security measures for mobile devices. 3) Many offices do not meet the HIPAA Security and Privacy Rule requirements, i.e. no Policies and Procedures.
37 Reviewing the EHR Audit Logs Perform Best Effort Attempt to Comply Retain Audit Logs For 6 Years Burden of Proof is Yours Looking for Inappropriate Access Unusual or Suspicious Behavior Start by Defining Your Audit Plan
38 Audit Plan Be Realistic thousands of lines per day Give PHI a Risk Rating based on Possible Harm to Patient Automated Processes v. Random Audits HIPAA Compliance Officer or IT Professional Review Both Internal and External Threats
39 Business Associates Expanded Definition of Business Associates More Agreements. Makes your business associates subcontractors directly liable under HIPAA. You are now fully liable for the actions of business associates acting as your agent. Business Associate Agreements must be updated with the Omnibus changes.
40 Business Associates Some of the many requirements Use and disclose PHI only as permitted or required under BAA or required by law; Expressly prohibited from using or disclosing PHI in a manner that would violate the Privacy Rule if done by a covered entity; Must disclose only the minimum necessary PHI; Must take reasonable steps to cure a subcontractor's breach; Must track for Accounting of Disclosures.
41 Business Associates By September 23, 2013, BUSINESS ASSOCIATES MUST Perform a risk assessment Have a risk management plan in place Breach notification compliance program Contingency Plan in place Have a set of Security & Privacy policies and procedures Designate a Security Officer Enter into written contracts with subcontractors (BAA) & CEs Train, train, train With Documentation of all the above.
42 Questions for Business Associates How critical is the business associate to my organization? Do I have an updated agreement in place with each business associate? Has our organization performed due diligence to ensure our business associate is HIPAA compliant. Does the business associate have an incident detection and management process? What are the legal and contractual requirements for offshore business associates and sub-contractors?
43 Breach There is a default presumption that an acquisition, access, use of disclosure of PHI that violates the Privacy Rule is a Breach. Even a suspected breach, is an actual breach, until such time as the entity performs a security risk assessment to determine that there is a low probability of compromise.
44 Breach You must now perform a Risk Assessment for each breach you do not report to the patient and HHS. The focus of the risk assessment is no longer on the harm to the patient but whether the information has been compromised. The burden of proof is clearly on the covered entity. If it cannot be clearly determined that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.
45 Breach Risk Assessment Required Four factors that must be considered in a risk assessment used to determine whether protected health information has been compromised are set forth in the definition of a "breach" (new version of 45 CFR ) and include: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification. 2. The unauthorized person who used the protected health information or to whom the disclosure was made. 3. Whether the protected health information was actually acquired or viewed. 4. The extent to which the risk to the protected health information has been mitigated.
46 Breach Common Causes of Small Breaches Misdirected Communications - clinical or claims record of one individual was mistakenly mailed or faxed to another individual. Test results were sent to the wrong patient. Files were attached to the wrong patient record. s were sent to the wrong addresses. Information released to the incorrect patient or person not authorized to receive such information. Glitches in software that incorrectly compiled lists of patient names and contact information. Employee snooping. Improper disposal. Incentive to over-report will be strong.
47 Breach Notification Requirements Covered entities must notify affected individuals of a breach of unsecured protected health information without unreasonable delay and in no case later than 60 calendar days following discovery of the breach. Reports of breaches involving fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred. 45 CFR Covered entities must notify the Secretary by filling out and electronically submitting a breach report form on the OCR web site at
48 Breach The Office of Civil Rights (OCR) still recognizes that there are situations where an unauthorized use, disclosure, access or acquisition is very inconsequential and may not warrant notification. Covered entities and business associates will have to consider each situation carefully. We expect more guidance on this in the future, however this will lead to more expense, increased breach reporting and additional exposure for your practice to audits and fines.
49 Breach Protect Yourself Now is the time to encrypt everything. We Love Encryption Leon Rodriguez Start with mobile devices, Then Servers and workstations, Don t forget and text messaging.
50 Enforcement The HIPAA Enforcement Rule, 45 CFR Part 160, Subparts C through E, establishes rules regarding enforcement processes, such as the establishment of an amount of the penalty for a violation. The Final Rule clarifies that the HHS Secretary will investigate any complaint where a preliminary review of the facts indicates a possible violation due to willful neglect and also conduct a compliance review with discretion to investigate any other complaints.
51 Enforcement Violation Category CMP For Each Violation Total CMP for Violations of a Identical Provision in a Calendar Year Unknowing $100 $50,000 $1,500,000 Reasonable Cause $1,000 $50,000 $1,500,000 Willful Neglect Corrected $10,000 $50,000 $1,500,000 Willful Neglect Not Corrected At least $50,000 $1,500,000 The Final Rule does not allow violations due to willful neglect to be resolved through informal means without also imposing a CMP.
52 Enforcement Resolution Agreement Between the Office of Civil Rights and Hospice of North Idaho II. Terms and Conditions 7. Payment. HONI agrees to pay HHS the amount of $50,000 (the Resolution Amount ). HONI agrees to pay the Resolution Amount by electronic funds transfer pursuant to written instructions to be provided by HHS. HONI agrees to make this payment on or before the Effective Date of this Agreement. 8. Corrective Action Plan. HONI has entered into and agrees to comply with the Corrective Action Plan (CAP) attached hereto as Exhibit A, which is incorporated into this Agreement by reference. If HONI breaches the CAP, then HONI will be in breach of this Agreement and HHS will not be subject to the terms and conditions in the Release set forth in Paragraph 9 of the Agreement.
53 Enforcement OCR s investigation indicated that the following conduct occurred : (A) HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ephi on an on-going basis as part of its security management process from the compliance date of the Security Rule to January 17, (B) HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ephi that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 1, 2011.
54 Time is of the Essence If you have not done so already, perform the following: 1. Perform a Security Risk Assessment 2. Inventory Business Associates, update Business Associate Agreements and perform due diligence on their HIPAA compliance. 3. Develop and Implement a full set of policies and procedures for the HIPAA Security and Privacy Rules. 4. Train all staff on a yearly basis on HIPAA and patient privacy. 5. Develop a Breach Response Plan using the updated Breach definition. 6. Have a Contingency Plan in place that meets the requirement of the HIPAA Security Rule. 7. Use the proper forms to document all of your HIPAA compliance. 8. Work on your Risk Management Plan weekly.
55 Time is of the Essence Put Special Emphasis On: 1. Business Associates 2. Training 3. Reviewing and reporting on Audit Log activity. 4. Mobile Device Security 5. Encryption
56 HIPAA Is A Cost of Doing Business HHS estimates that these new regulations will cost covered entities and business associates between $114 million and $225.4 million during the first year of implementation, and approximately $14.5 million each year thereafter.
57 The Real Cost of HIPAA Violations Loss of Trust Between You and Your Patients Loss of Reputation.
58 HIPAA Is A Valve, Not A Blockage. Leon Rodriguez, Director Office of Civil Rights.
59 Patient Is At The Top of The Pyramid Do not let security trump patient preference. HIPAA should not get in the way of the best interests of the patient. Patient Leon Rodriguez, Director Office of Civil Rights.
60 Stay Informed More Updates and Guidance Expected in the Near Future. 1. Accounting of Disclosures 2. Bulletins on how to implement the new Breach Reporting
61 We offer full HIPAA Compliance Services and specialize in small practice risk assessments and HIPAA Compliance Products. HITECH Compliance Associates Michael McCoy