HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

Transcription

1 HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 Federal and Texas Privacy & Security Requirements Minimizing Your Risk of Violations

2 DISCLAIMER The information contained in this document highlights the various laws and statutes set forth below. It does not, nor does it intend to, address all provisions of the specific laws and statutes cited herein. Further, the statutes and laws referenced in this tool are not an exhaustive list of federal and Texas privacy laws. This document is intended merely as an aid to assist physicians and their office staff in understanding their obligations under the changes to privacy provisions found in House Bill 300 (HB 300), Senate Bill 1609 (SB1609) and Senate Bill 1610 (SB 1610) as compared to the various federal privacy counterparts set forth in HIPAA/HITECH and HIPAA. TMLT makes no representation that compliance with the provisions set forth in this tool will constitute full compliance with the various federal and state privacy laws. The information presented should be used as a resource, selected and adapted with the advice of your attorney. It is distributed with the understanding that TMLT and its affiliates are not engaged in rendering legal services. Copyright 2013 TMLT 1

3 CONTINUED CHANGES IN PRIVACY LAWS For medical practices, or Covered Entities (CE) in Texas, and now their Business Associates (BA), minimizing your risk of violations with federal and Texas privacy laws is not a onetime event. The laws and rules keep changing. It is essential that CEs and BAs understand the federal and Texas laws and their associated rules and how they apply to the organization. In January 2013, the HIPAA, also known as the Final Rule was released. The changes in this rule are significant and will once again require CEs and BAs to make changes to their standard business processes. All CEs and BAs must be compliant by September 23, 2013, with a few exceptions. Making the necessary changes is very important since the enforcement and the associated civil monetary penalties are greatly increased with the Final Rule. After reviewing this tool you should consider: 1. Reviewing and updating policies and procedures 2. Reviewing and updating Notice of Privacy Practices (NPP) 3. Retraining workforce on the changes 4. Preparing/reviewing and amending Business Associate Agreements (BAA) In 2011, members of the Texas legislature passed House Bill 300 (HB 300) to add further safeguards for protected health information (PHI) for patients being treated by Texas physicians. The HB 300 changes that were made to existing Texas privacy laws are more stringent than those found in the federal laws Health Insurance Portability and Accountability Act (HIPAA) and Health Information and Technology for Economic and Clinical Health Act (HITECH) and went into effect September 1, The recently concluded 2013 Texas legislature again brought changes to the Texas Medical Records Privacy Act and Identity Theft Enforcement and Protection Act (). These changes were made at the urging of TMLT and were supported by TMA to help Texas physicians comply with the 2011 changes by easing the burden of educating staff as well as clarifying reporting requirements of. Again it is very important for physicians and their office staff to be familiar with the existing laws and changes to those laws in order to minimize the risk of violations. Consequences may include the assessment of civil penalties in Texas in addition to penalties for violating the federal laws. This comparison chart is made available from TMLT, to help you review the changes to the federal and Texas privacy laws. Physician practices, as CEs, and their BAs should take this opportunity to review their existing HIPAA/HITECH policies, procedures and practices. Further, modifications to these existing policies, procedures, and practices will need to be made to reflect the requirements under the revised Texas privacy laws and the Final Rule. HIPAA Privacy and Security are the foundation for the many changes we have seen on both a federal and state level as well as the changes that are sure to come as technology continues to change and immediate access to health records evolves. TMLT has additional resources available and can provide customized consultation services to help your practice. Call Stephanie Downing at , extension 4884 or consultingwebmail@tmlt.org for more information. 2

4 COVERED ENTITY (CE) COMPLIANCE HIPAA/HITECH HIPAA Privacy Rule: Effective 4/14/2003 HIPAA Security Rule: Effective 4/20/2005 HITECH in effect since 2009 CEs required to develop policies and procedures, conduct training, and change notice of privacy practices and BAAs in accordance with HIPAA/HITECH privacy and security requirements. TX HEALTH & SAFETY 181, 182 HB 300 Effective date of 2011 changes to TX HEALTH & SAFETY 181, 182: 9/01/2012 SB 1609: 6/14/2013 TX IDENTITY THEFT ENFORCEMENT & PROTECTION ACT Effective date 9/01/2012 SB 1610: Effective 6/14/2013 Effective date: 3/25/ 2013 Compliance date: 9/23/2013 Compliance date for updating BAAs: o You may have additional time to comply with updating your BAAs. o The provides up to a one year extension (until 9/22/2014) for updating BA contracts that are not otherwise modified after 3/26/2013. o You may want to consult legal counsel to determine if you meet this expectation. HIPAA Health Plan Health Care Clearinghouse Health Care Provider transmitting electronic personal health information (ephi) in connection with a transaction covered by Subchapter A of HIPAA regulations No change to the definition of a CE Any person who: assembles, collects, analyzes, uses, evaluates, or transmits PHI for commercial, financial or professional gain, monetary fees, dues or on cooperative, nonprofit or pro bono basis; comes into possession of PHI; or obtains or stores PHI. Includes: BA, health care payor, government unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an internet site. 3

5 PATIENT RIGHTS TRAINING HIPAA/HITECH Employees to be trained on HIPAA requirements regarding PHI & ephi To be afforded as necessary and appropriate to carry out employees job functions New employees to be trained within reasonable period of time after being hired All employees to receive training for any material changes in HIPAA requirements regarding PHI within reasonable time after material change goes into effect CE must document training No changes to training requirements HB 300 and amended by SB 1609 Employees to be trained on state and federal laws on PHI The CE shall provide training to employees regarding state and federal law concerning PHI as necessary and appropriate for the employee to carry out the employees duties as it relates to PHI CE must train new employees by the 90 th day of employment If the duties of an employee of a CE are affected by a material change in state or federal law, the employee should be retrained, as soon as possible, concerning the changes; the training must occur no later than the first anniversary of the date the material change in law takes effect Must maintain signed statements from employees verifying attendance at training until the sixth anniversary of the training Practical Tip whenever you update your Privacy or Security policies or procedures you should retrain staff and document the training HIPAA HIPAA Privacy Rule contains a number of individual rights including: access right to review and obtain a copy of PHI with certain exceptions; amendment right to request the CE amend inaccurate or incomplete information; disclosure of accounting right to request an accounting of disclosures; restriction request right to request CE restrict disclosure; and confidential communications. Changes to patient rights were made in the Final Rule: electronic copy of PHI; may direct CE to send ephi to a third party; right of restriction-patients may restrict that PHI not be shared with health plan if they pay out of pocket at the time of service; genetic information under GI; proof of student immunization may be released to schools; decedent information; make changes to your NPP. 4

6 PROVIDE AN ELECTRONIC COPY OF PHI HIPAA/HITECH CE must provide patients with their PHI within 30 days of receipt of request in form requested if readily producible in such form. If CE uses or maintains electronic health records (EHRs), patient has the right to receipt of PHI in electronic format and to direct CE to transmit such copy directly to an entity or person designated by patient. HITECH created the patient right to obtain electronic copies of PHI maintained in EHR. HITECH established that the fee for copies was to be based on the labor costs. Individuals have the right to obtain an electronic copy of any PHI maintained electronically in one or more designated record sets. If electronic information is not readily producable in the form and format requested, the information must be provided in an alternative readable electronic form and format as agreed to by the CE and the individual. The labor of copying ephi may be included in the reasonable cost-based fee. The cost of supplies (i.e. CD or USB drives) may be included in the reasonable cost-based fee if the individual requests that the electronic copy be provided on portable media. The cost of postage may be included in the reasonable cost-based fee if the individual requests that the portable device containing the electronic copy be sent by mail or courier. HB 300 CE must provide patients with an electronic copy of their medical records within 15 days of receipt of written request for same if CE uses EHR system capable of fulfilling request (15 days is consistent with TMB rules on release of records); CE may provide records to patient in another format if patient agrees to same; Texas Health & Human Services Commission may recommend standard electronic format for release of EHRs; and Texas Attorney General has established a website to provide information on individual s privacy rights concerning PHI under state and federal law, list of state agencies that regulate CEs and information regarding each agency s complaint enforcement process and contact information. Practical Tip Revise your policy and procedure on the release of records to be sure it reflects Texas requirements. 5

7 MARKETING HIPAA/HITECH HITECH limits health-related communications that are excepted from the definition of marketing to the extent a CE receives or has received direct or indirect payment in exchange for marketing the communication. If the payment received by the CE is reasonable, there is an exception to the payment limitation for communications that describe only a drug/biologic currently prescribed to the patient. The Final Rule requires the CE to obtain an individual s authorization in order to use or disclose PHI for marketing purposes. Authorization is required for all treatment or health care operations communication if the CE received financial renumeration from a third party whose product or service is marketed in the communication. No authorization is required where a CE receives financial renumeration from a third party for marketing communications made face-to-face to the individual. Exception to the definition of marketing: To provide refill reminders or to otherwise communicate about a drug or biologic currently being prescribed for the individual, provided that any financial renumeration is reasonably related to the CE s cost of making the communication (labor, supplies, and postage). To describe a health-related product or service or contacting individuals with information about treatment alternatives and related functions, as long as the CE does not receive financial renumeration in exchange for making the communication. CE must obtain clear and unambiguous permission in written or electronic form to use or disclose PHI for any marketing communication, except if: (1) in the form of a face-to-face communication made by a CE to an individual; (2) in the form of a promotional gift of nominal value provided by the CE; (3) necessary for administration of a patient assistance program or other prescription drug savings or discount program; or (4) made at the oral request of the individual. If CE uses or discloses PHI to send a written marketing communication through the mail, the communication must be sent in an envelope showing only the names and addresses of sender and recipient and must: (1) state the name and toll-free number of the CE; and (2) explain the recipient's right to have the recipient's name removed from the sender's mailing list. CE must remove an individual s name from a mailing list no later than the 45 th day after the CE receives the individual s request. Oral request of the individual under Subsection (a)(4) may be made only if clear and unambiguous oral permission for the use or disclosure of the PHI is obtained. The marketing communication must be limited to the scope of the oral permission and any further marketing communication must comply with the requirements of this section. 6

8 FUNDRAISING HIPAA CE must provide a clear and conspicuous opt out opportunity. CE must honor the opt out request. CE can only use demographic information, insurance status, and dates of service to target fundraising communications. Opt out notice must be clear and conspicuous. Opt out method cannot be burdensome. CE must honor all opt out requests. CE may not condition payment or treatment on individual s choice to receive fundraising communications. CE may use general information about the department in which the patient was served (i.e. cardiology), the identity of the treating physician, and general outcome information to target fundraising campaigns. CE may decide whether opt out should apply to all future fundraising communications or to a specific campaign. 7

9 SALE OF PHI HIPAA/HITECH Prohibits the sale of PHI without patient authorization except for public health activities, cost and preparation of research activities, treatment and payment, health care operations pursuant to BA activity for the patient access to his/her PHI, and if the Secretary of HHS determines it is necessary and appropriate by regulation Prohibits CE or BA from receiving direct or indirect payment from the recipient of the PHI in exchange for the PHI without authorization from the individual. The authorization requirement does NOT apply for disclosures of PHI for: o public health purposes; o for research purposes where the only renumeration is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI; o for treatment, payment, or health care operations; o to or by a BA for activies that the BA undertakes on behalf of the CE, and the only renumeration is for the performace of such activities; o to an individual, when requested under the access and accounting of disclosures provisions of the Privacy Rule; o for disclosures required by law; or o for any other purpose permitted by and in accordance with the applicable requirements of the Privacy Rule, where the only renumeration is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI or a fee otherwise expressly permitted by other law. Ongoing research studies will be grandfathered. CE may continue to use a limited data set in accordance with an existing data agreement up to one year or until it is renewed or modified, whichever is earlier HB 300 Prohibits sale of PHI except for treatment, health care operations, performing insurance or health maintenance organization function, or as otherwise authorized by state or federal law. 8

10 RIGHT TO RESTRICT DISCLOSURE TO HEALTH PLANS HITECH HITECH requires health care providers to adhere to a restriction request by a patient to not disclose their PHI to a health plan if PHI pertains solely to items or services, for which the patient paid the provider outof-pocket, provided disclosure is not required by law. Clarifications were made in the Final Rule: providers are prohibited from disclosing PHI to BAs of the health plan; providers are not required to create separate medical records or otherwise segregate PHI subject to this restriction as long as they prevent its dislosure; providers may unbundle billing for items or services to accommodate an individual s restriction request, but they must first counsel the individual that the health plan may be able to determine the other services that were provided from such claims; providers are not required to notify downstream providers of the restrictions; and payments from a health savings account or flexible spending account constitutes payment on behalf of an individual. Practical Tip Revise your policy and procedure on use and disclosure as well as your NPP 9

11 ACCESS TO DECEDENT INFORMATION BY FAMILY DISCLOSURE OF CHILD IMMUNIZATIONS TO SCHOOLS HIPAA Authorization to release PHI is required. Omnibus Permits CE to provide proof of immunization without authorization to schools that are required to have the information. CE must get parental agreement to allow CE to provide immunization records without authorization. Practical Tip Consider how you will document parental agreement; consider adding to your general consent *NOTE: The Texas Medical Board Rules; Chapter Medical Records Release and Charges states: (a) Release of Records Pursuant to Written Request: As required by the Medical Practice Act, , a physician shall furnish copies of medical and/or billing records requested or a summary or narrative of the records pursuant to a written release of the information as provided by the Medical Practice Act, In the absence of clarification from federal or Texas authorities, practices may want to continue to obtain written authorization before release of proof of immunization to schools. Further clarification on this topic is likely in the future. HIPAA Disclosure to family: CE is required to protect PHI of decedent to the same extent as that of a living individual. Authorization is required from the person s personal representative for any disclosue that would have required authorization by the individual if living. No expiration of HIPAA protections of PHI. Practical Tip Consider how you will document parental agreement; consider adding to your general consent or continue to obtain authorization before release of PHI. Information on decedents is protected unless the decedent has been dead for more than 50 years. There is no requirement to keep records for 50 years. Disclosure to family: CE may disclose PHI to family members as long as the disclosure is not inconsistent with the individual s prior preferences. *NOTE: The Medical Practice Act of Texas requires a valid written consent for the release of confidential information. If the patient is deceased, authorization is required from the patient s personal representative. In the absence of clarification from federal or Texas authorities, practices may want to continue to obtain written authorization from a personal representative before releasing PHI of a decedent. Further clarification on this topic is likely in the future. 10

12 NOTICE OF PRIVACY PRACTICES & AUTHORIZATION REQUIREMENTS FOR ELECTRONIC DISCLOSURE OF PHI GI HITECH Requires HHS to clarify that genetic information is PHI and to prohibit plans, insurance issuers, and issuers of Medicare supplemental policies from using or disclosing genetic information for underwriting. Prohibits all health plans, except long term care insurers from using or disclosing genetic information for underwriting purposes. Defines underwriting. Includes genetic information within the definition of PHI. HIPAA/HITECH HIPAA requires CE to have a NPP. HIPAA requires CE to make copies of the NPP available to patients. HIPAA requires CE to post a copy of their NPP. HIPAA requires CE to attempt to obtain a signed acknowledgment of receipt of the NPP. Your NPP must include: Use and Disclosure: NPP must include an express statement that the following require an individual authorization: o psychotherapy notes; o PHI for marketing; o sale of PHI; and o uses and disclosures not described in the NPP will be made only with the individual s authorization. Fundraising: where CE intends to contact individuals for fundraising, NPP must include a separate statement regarding fundraising communications and the right to opt out. Notification of Breach: include a statement of the right of the affected individual to be notified following a breach. Right to restrict disclosures: NPP must include a separate statement informing individuals of their right to restrict disclosures of PHI to health plans under certain circumstances. Include restrictions on genetic disclosures under GI. Health care providers must make a modified (revised) NPP available to patients at the facility upon request and post the revised NPP at such locations. HB 300 Changes made by HB 300: CE must provide notice of electronic disclosure of PHI to patients if patients PHI is subject to electronic disclosure (may be provided in NPP or separate document). CE to post written notice of electronic disclosure of PHI in CE s place of business, on CE s web site or in another conspicuous place where patient is likely to see notice (Note: may incorporate into current practice protocol that satisfies HIPAA requirements). CE must obtain patient authorization (written or in oral form if documented) for each electronic disclosure of PHI except if electronic. Disclosure is made to another CE for treatment, payment, health care operations, or as otherwise authorized or required by state or federal law (do not obtain blank, signed patient authorizations). A standard authorization form for electronic disclosure of PHI is available on the Texas Attorney General s web site. Practical Tip After you revise your NPP, develop a plan to redistribute and obtain new acknowledgments of receipt 11

13 STANDARDS FOR SECURING PHI & ephi HIPAA Destruction and encryption can be used for securing PHI and ephi. BAs and their subcontractors are fully liable for compliance with HIPAA Privacy and Security and HITECH (including the Final Rule). Texas Health & Safety Code 182 HB 300 Mandates Texas Health Services Authority (THSA) to develop and HHS to adopt privacy and security standards for electronic sharing of PHI; Adopted privacy and security standards to be posted on THSA s website; and THSA to establish process by which CE may obtain compliance certification with adopted privacy and security standards. A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information (SPI) collected or maintained by the business in the regular course of business. A business shall destroy or arrange for the destruction of customer records containing SPI within their custody or control that are not to be retained by shredding, erasing, or otherwise modifying the SPI in the records to make the information unreadable or indecipherable through any means. 12

14 BREACH NOTIFICATION REQUIREMENTS HIPAA/HITECH Breach is unauthorized acquisition, access, use or disclosure of PHI which compromises security or privacy of PHI and poses significant risk of financial, reputational or other harm to an individual. Notification is required if there is a breach of unsecured PHI. Limited exceptions to Breach Notification Requirements. Content requirements for written notice. Substitute notice requirement. Notify individual no later than 60 days after discovery. Notify HHS per HHS website specifications. Notify media in some instance per Breach Notification Rule. Under the Omnibus rule all breaches of PHI are presumed to be reportable. This replaces the risk of harm threshold in HITECH. A breach is an impermissible use or disclosure of PHI. There is one exception to reporting. If after conducting a risk assessment in good faith, (using a prescriptive 4 part model) the CE or BA can demonstrate that there is a low probability that the PHI has been compromised then reporting is not required. Breach notification requirements were added to in Safeguard SPI SPI is defined as unencrypted: o Name; o Social Security Number; o Driver s license number; o Other government issued ID number; o Account number; o Credit card number; o Debit number; or o PHI A person who conducts business in Texas and owns or licenses data that includes SPI must disclose a breach upon discovery or if SPI is reasonably believed to have been acquired by unauthorized person. Must notify immediately or as soon as feasible. A person who maintains computerized data containing SPI must immediately notify owner/license holder about the breach once the breach is discovered. HB 300 CE must provide notification to any affected individual, not just Texas residents. Practical Tip Report any suspected breach to your cyber liability carrier immediately. They may be able to provide you with resources, including counsel, to help you conduct a risk assessment and determine if the breach is reportable. Changes made by SB 1610 If the individual whose SPI was breached (or believed to be breached) resides in a state that requires a notice of a breach of system security, the notice may be provided under that state s law or under Texas law. A person may be give written notice as required at the last known address of the individual. 13

15 BUSINESS ASSOCIATES AND THEIR SUBCONTRACTORS & BUSINESS ASSOCIATE AGREEMENTS Changed the definition of BA BA is anyone who creates, receives, maintains, or transmits PHI on behalf of the CE Other changes for BA: BA relationship is met if the entity fits the definition of a BA regardless of whether a BAA is in place. BAs must meet minimum necessary rule. BAs must comply with HIPAA Privacy and Security rules. Subcontractor of a BA is anyone who creates, receives, maintains or transmits PHI on behalf of the BA. Subcontractor of a BA is now defined as a BA and subject to meeting all the same rules. BA will need to have BAA or written contracts with subcontractors. BAA or Contract When a CE uses a contractor or other non-workforce member to perform "business associate" services or activities, the Final Rule requires that the CE include certain protections for the information in a BAA (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the BA contract, a CE must obtain assurances from the BA that it will impose specified safeguards with respect to the individually identifiable health information it uses or discloses. Definition of a CE means any person who: (A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI. The term includes a BA, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an internet site; (B) comes into possession of PHI; (C) obtains or stores PHI; or (D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits PHI. Changes to BAA BAA must include an agreement that the BA complies: with the Security Rule regarding ephi; and with the Privacy Rule if the BA is performing services on a CE s behalf that fall under the Privacy Rule. BA and Subcontractor Liability The Final Rule makes BAs and their subcontractors directly liable for violations of the Privacy and Security Rules: failure to notify the CE of a breach; failure to provide access to a copy of PHI to CE or patient; failure to provide information to HHS secretary when requested for an investigation; failure to provide an accounting of disclosures; and failure to comply with the Security Rule. 14

16 HYBRID ENTITY BUSINESS ASSOCIATES Clarifies that the following are BAs of CEs: Health Information Organizations (HIO)/Health Information Exchanges (HIE); and Patient Safety Organizations (PSO). HIPAA Hybrid entity The Privacy Rule permits a CE that is a single legal entity and that conducts both covered and non-covered functions to elect to be a hybrid entity. (The activities that make a person or organization a CE are its covered functions. ) To be a hybrid entity, the CE must designate in writing its operations that perform covered functions as one or more health care components. After making this designation, most of the requirements of the Privacy Rule will apply only to the health care components. A CE that does not make this designation is subject in its entirety to the Privacy Rule. Hybrid entity must include a component that performs business associate-like activities within its health care component. The entire CE, and not merely its health care component, remains responsible for complying with BA arrangements and other organizational requirements of HIPAA. 15

17 About the Author: Cathy Bryant is a Risk Management Representative at TMLT. Cathy has had more than thirty years experience in health care as a nurse, risk manager, compliance officer, hospital executive, and consultant. Cathy is a member of the Health Care Compliance Association and is certified in Healthcare Privacy Compliance by the Compliance Certification Board. 16