Dissecting New HIPAA Rules and What Compliance Means For You

Transcription

1 Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions

2 TABLE OF CONTENTS Introduction 3 What Are the New HIPAA Rules? 4 Protected Health Information (PHI) and the Privacy and Security Rules 5 Breach Notification Rule Changes and Penalties 6 The Need for New Business Associate Agreements (BAAs) 8 The Need for Updated Risk Assessments 9 Implementing New Policies and Procedures 10 Training Employees on the Ongoing Needs of HIPAA Compliancy 11 Conclusion 13

3 Introduction HIPAA the Health Insurance Portability and Accountability Act was enacted in 1996 to protect health insurance coverage for workers and their families and establish national standards for electronic health care transactions pertaining to providers, employers, employees, and plans. HIPAA includes several facets, including the Privacy Rule, Security Rule, Enforcement Rule, Transactions and Code Sets Rule, and Unique Identifiers Rule. With health care technology changing rapidly, however, several amendments, enhancements, and changes have been made to HIPAA, the most important of which the new Omnibus Rule takes effect on September 23, This white paper aims to answer questions about how these new regulations apply, to whom, and how small to medium-sized businesses can chart the best course for compliancy by utilizing CMIT Solutions HIPAA Compliant Managed Services.

4 What Are the New HIPAA Rules? The Omnibus Rule, published on January 25, 2013 with an effective date of September 23, 2013, finalizes suggestions made in the 2009 HITECH (Health Insurance Technology for Economic and Clinical Health) Act. As part of the American Recovery and Reinvestment Act, more commonly known as the stimulus, HITECH allocated $19 billion to hospitals and physicians who demonstrated meaningful use of Electronic Medical Records (EMR) and Electrical Health Records (EHR). Any health care provider receiving meaningful use funds should be prepared for a potential audit by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), making compliance with revised HIPAA standards.

5 Protected Health Information (PHI) and the Privacy and Security Rules The most significant change contained within the Omnibus Rule concerns who must now comply with the Privacy and Security Rules that govern Protected Health Information (PHI). The Privacy Rule establishes national standards to protect individuals medical records and other information in regards to health plans, health care clearinghouses, and health care providers that conduct transactions electronically. The Rule also requires appropriate safeguards to protect the privacy of PHI, sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, and gives patients rights to access and request corrections of their health records. 1 The Security Rule establishes national standards to protect individuals electronic PHI that is created, received, used, or maintained by a Covered Entity (CE). The Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. 2 1 HIPAA Administrative Simplification Statute and Rules, 2 HIPAA Administrative Simplification Statute and Rules,

6 In the past, only Covered Entities any organization that accepts payments from insurance companies, Medicare, or Medicaid were required by law to follow rules pertaining to PHI. But now, Business Associates (BAs) of those CEs IT service providers, lawyers, accountants, data processers, and others who may be privy to PHI are also held to the same standard. Additionally, third-party subcontractors of those BAs are now defined as BAs, as well. These new regulations even apply to organizations that simply maintain PHI data and may never access it. Breach Notification Rule Changes and Penalties Additionally, the Omnibus Rule implements revised policies and procedures pertaining to data breaches. Gone is the old harm standard that defined how breaches of PHI were handled, replaced by a new standard that states any impermissible use or disclosure of PHI, generally defined as a breach, is presumed to automatically require notification. There are three exceptions to this rule: 1) If the PHI is unintentionally acquired, accessed, or used by an employee acting under the authority of a Covered Entity or Business Associate. 2) If PHI is inadvertently disclosed from one person authorized to access it by his or her CE or BA to another person authorized to access it. 3) And if the CE or BA has a good faith belief that the unauthorized individual to whom the impermissible disclosure was couldn t have retained the information. Otherwise, breaches must be announced as follows: Covered Entities responsible for breaches affecting less than 500 people must notify the affected individuals and the CE s Business Associates within 60 days of the discovery of the breach. Breaches of

7 this size can be reported to the Secretary of the HHS on an annual basis, no later than 60 days after the end of the calendar year in which the breaches occurred. In addition to the above methods, breaches affecting more than 500 people must also be reported to prominent media outlets serving the state or jurisdiction where the breach happened. Also, all notifications must be made within 60 days of the discovery of the beach. Penalties for PHI breaches have been significantly enhanced, as well. The American Recovery and Reinvestment Act of 2009 established a tiered civil penalty structure that remains subject to the discretion of the Secretary of HHS. Civil penalties can range from $100 per violation up to annual maximums of $1.5 million, with differing levels of assessment depending on the willful neglect exhibited by the HIPAA violation. In addition, criminal penalties are now a possibility for Covered Entities and specified individuals who knowingly obtain or disclose Protected Health Information. Prison terms can reach ten years for particularly egregious examples, including using individually identifiable health information for commercial advantage, personal gain, or malicious harm. 3 Remember not all incidents involving PHI are breaches. But all breaches begin as innocuous incidents, making diligence in the field of HIPAA compliancy a must. 3 HIPAA Administrative Simplification Statute and Rules, html

8 The Need for New Business Associate Agreements (BAAs) Of course, most health-care providers have no intentions of improperly handling or distributing their patients PHI. But the full impact of the new Omnibus Rule is most severely felt at the Business Associate level, where all previous Business Associate Agreements (BAAs) must be scrapped. In their place, both parties must agree to new BAAs that specifically protect the privacy and security of health information. If a supplier, vendor, or subcontractor could potentially access PHI, even in a worst-case scenario, a new BAA is needed. Understand that when you sign a BAA, you are attesting to and agreeing that your company, along with the other party to the agreement, follows HIPAA regulations. DO NOT SIGN BAAs with COVERED ENTITIES IF YOU ARE NOT SURE THEY ARE IN COMPLIANCE OR IF YOUR COMPANY IS NOT IN COMPLIANCE EITHER. Business Associates are now directly liable for HIPAA violations and must comply with all limitations and requirements included in the Privacy and Security Rules. The Omnibus Rule defines IT service providers as Business Associates if any data potentially containing PHI is maintained in the performance of its role as a service provider. This applies even if the BAA with the CE does not anticipate any access to the PHI, or anticipates access only on a random or incidental basis. Also, BAs like IT providers, lawyers, or accountants are required to maintain BAAs with their own subcontractors or downstream entities and assume obligation of compliance with those parties. Although HHS has extended the transition period for some grandfathered-in BAAs until September 22 nd, 2014, instituting a

9 comprehensive HIPAA compliancy package now will save your business from the impact of potential problems ahead. The transition provision only applies if the BAA was in existence and HIPAAcompliant prior to publication of the Omnibus Rule on January 25, 2013, and if it is not renewed or modified during the grandfather period. The Need for Updated Risk Assessments Even after new Business Associate Agreements are signed, ensuring you re your company and your BAs are HIPAA compliant doesn t stop. All companies involved in any way with the health care marketplace should undergo an updated Privacy and Security Rule Risk Assessment, one of the core bedrocks of CMIT s HIPAA Compliant Managed Services. Conducting an analysis like this represents the first step in identifying and implementing policies and procedures that comply with and carry out the standards set out by the Omnibus Rule. A HIPAA risk assessment will also determine whether your company could pass an independent audit of the hundreds of HIPAA citations and components up for examination.

10 Implementing New Policies and Procedures Here at CMIT Solutions, we ve focused on establishing four basic operating procedures that offer the highest level of HIPAA compliancy. 1) Maintaining the integrity of login credentials or access to any systems that create, read, update, or delete Protected Health Information (PHI), Electronic Medical Records (EMR), or Electronic Health Records (EHR). 2) Encrypting any and all data accessed on behalf of a Covered Entity (CE) with top industry encryption techniques. 3) Refusing to hold encryption keys that could access a CE s client data. 4) Requiring clients to physically and programmatically secure any systems that access PHI or medical equipment where PHI is created, read, updated, or deleted.

11 These four pillars may or may not work for your company. But, at the very least, you should ensure that your IT service provider follows these procedures. If they don t, we urge you to look into a program like CMIT s HIPAA Compliant Managed Services. Training Employees on the Ongoing Needs of HIPAA Compliancy Many Covered Entities and Business Associates might assume that HIPAA compliance is something that can be achieved by performing one clearly defined set of actions. Even after completing all of the steps listed above, action is still required, however. The best way to ensure that your company maintains HIPAA compliance now and into the future, consider naming someone on your leadership team as a HIPAA Privacy and Security Officer and/or HIPAA Compliance Officer. These roles should be assigned and trained BEFORE you execute any new Business Associate Agreements.

12 The HIPAA Privacy and Security Office and/or HIPAA Compliance Officer should be certified in HIPAA compliancy and familiar with all rules and auditing processes. That person or persons can then execute HIPAA compliance training for your entire staff. Each individual should receive appropriate training that s pertinent to his or her role, and all training should be tracked and maintained in a training log. Training should occur at least once a year, with quarterly updates undertaken as needed. Once training is complete, a HIPAA Privacy and Security Management Plan should be implemented in your office, ensuring that all new policies and procedures meet the six-year data-archiving requirement contained within HIPAA regulations. All staff members should be made aware of HIPAA Privacy and Security Rules, understand the definition of PHI, and be able to recognize and report both data breaches and any potentially prohibited behaviors.

13 Conclusion On its own, IT security is a complicated field add on new layers of government regulations and the prospect of this new Omnibus Rule going into effect on September 23rd is downright terrifying and beyond complex. HIPAA compliance can seem painful and expensive, but that s why CMIT Solutions offers specifically tailored HIPAA Compliant Managed Services right-sized for your company.

14 About The Authors Cindy Phillips, Director of Product Management, CMIT Solutions Cindy serves as the Director of Product Development for CMIT Solutions. She is responsible for the product and services roadmap and performs market research to assure that CMIT Solutions offerings meet the dynamic and changing demands of the small to medium-sized business community. Cindy holds a Bachelor s Degree in Chemical Engineering from the University of Missouri at Columbia, an MBA from Maryville University, and is a graduate of the Institute for Managerial Leadership at the University of Texas at Austin and Leadership Austin. Kelly McClendon, RHIA, CHPS, Managing Partner/Chief Marketing Officer, CompliancePro Solutions Kelly is a well-known consultant and industry expert in patient privacy and security, with specific subject matter expertise in the areas of privacy incident, detection, and automation. He is also an industry expert in legal health records, HIM operations, electronic document management, and EHR project planning. Kelly is a frequent industry speaker and received the FHIMA Distinguished Member Award in 2008 and the AHIMA Visionary Award in Kelly has held senior management positions at Eclipsys and MedPlus and founded the consulting firm Health Information Xperts.