HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

Transcription

1 HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq.

2 Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September 23, 2013 Compliance Grandfathered BA September 22, 2014 Chanderraj Law Offices HIPAA Compliance Presentation 2

3 Overview of Changes Business Associate (BA) Revisions Notice of Privacy Practice Patient Right To Access/Request for Restrictions Breach Notification/Risk Assessment Strengthening of Enforcement Rule/CMP Chanderraj Law Offices HIPAA Compliance Presentation 3

4 Who Is a Business Associate? Entities that transmit and need routine access to PHI (e.g.hio, E-prescribing Gateway, others) PHR Vendors who serve CEs A person or entity that creates, receives, maintains, or transmits PHI for CE Chanderraj Law Offices HIPAA Compliance Presentation 4

5 Business Associate Potential Liabilities BA s Are Subject To: Ø HHS jurisdiction under HIPAA Ø Civil and Criminal penalties Chanderraj Law Offices HIPAA Compliance Presentation 5

6 Business Associate Agreements Required Provisions: ü Compliance with HIPAA Security and Privacy rules; ü Duty to quickly report Breach of unsecured PHI; ü Agreement with any subcontractor/agent that handles PHI; ü Make available to HHS internal practices, books and records; ü Material Violations = Termination; ü Return or Destruction of all PHI upon termination. Note: BA Agreements now in force are grandfathered until Sept. 22 of this year Chanderraj Law Offices HIPAA Compliance Presentation 6

7 Next steps: Evaluate your relationships to determine who might now be considered a BA Ensure that you have BA Agreements in place with additional contractors like your EMR vendors, data storage companies and e- prescribing gateways Review your existing BA Agreements to ensure that they are in compliance with the HIPAA megarule If the existing BA Agreement was entered into prior to 1/25/13, amend the BA by the earlier of: (1) the date that the BAA is renewed; or (ii) September 22, 2014 If the existing BA Agreement was entered into after 1/25/13, the agreement should have been amended by September 23, 2013 Chanderraj Law Offices HIPAA Compliance Presentation 7

8 Notice of Privacy Practices Required changes to Notice Description of types of uses and disclosures that need authorization Explanation of patients right to restrict disclosure Notification of breach of unsecured PHI Patient authorization/revocation/opt out Patient s right to access PHI in electronic format Chanderraj Law Offices HIPAA Compliance Presentation 8

9 Distribution of Revised Notices Revised Notices should be distributed to all new patients To existing patients upon request Displayed in prominent place in physical location Website Chanderraj Law Offices HIPAA Compliance Presentation 9

10 Limits on marketing of PHI Use of PHI for marketing without patient s express authorization generally prohibited Exceptions (if CE receives financial remuneration) Ø face-to-face encounter Ø Relating to drugs and biologics if financial remuneration is reasonably related to costs; and communication is about refill reminders or current prescriptions Chanderraj Law Offices HIPAA Compliance Presentation 10

11 Limitations on sale of PHI Sale of PHI without express patient authorization prohibited Exclusions ü Public health activities ü Research (limitations) ü Treatment and payment purposes ü Sale or merger of CE Chanderraj Law Offices HIPAA Compliance Presentation 11

12 Next steps Evaluate current relationships to determine whether they meet marketing or sales definitions under HIPAA Mega rule If you are on speakers bureaus for a pharmaceutical company, amend or terminate relationships or disclose relationship in privacy notice Ensure that patient marketing authorization forms have been updated to disclose financial remuneration received from third party; and state that individual may revoke authorization at any time Sale of PHI authorization must state that disclosure will result in financial remuneration to covered entity Chanderraj Law Offices HIPAA Compliance Presentation 12

13 Patient s Access To PHI Rights Providers need revise policies and procedure for patient s request for PHI to ensure: Format Electronic copy of records to third party Transmission Respond timely Accounting of disclosures Chanderraj Law Offices HIPAA Compliance Presentation 13

14 Request for Restrictions Paid-in-Full Restriction Narrow restriction on disclosure to a health plan if: Disclosure is for payment or health care operation purposes; Disclosure not otherwise required by law; and Restriction pertains solely to health care item or service for which individual/someone on individual s behalf (other than health plan) has paid provider in full Chanderraj Law Offices HIPAA Compliance Presentation 14

15 Breach Notification Rule What Constitutes a Breach? Acquisition, access, use or disclosure of unsecured PHI; In a manner not permitted by HIPAA; and Which poses a significant risk of financial, reputational or other ham What is not a Breach? PHI is considered secured Reasonable safeguards put in place Chanderraj Law Offices HIPAA Compliance Presentation 15

16 HITECH Act Breach Notification Breach Exceptions Disclosure made in good faith in the course of workplace events An inadvertent disclosure of PHI from an authorized individual to another similarly situated individual (No exception when individual was not authorized to access PHI) Disclosure to a person that could not reasonably retain the information Chanderraj Law Offices HIPAA Compliance Presentation 16

17 Breach Notification Requirements q Timing q Method q Breach > 500 people Chanderraj Law Offices HIPAA Compliance Presentation 17

18 Breach Notification Requirements Notification Content ü A brief description; ü types of unsecured PHI involved in the breach; ü steps that individuals should take to protect themselves; ü CE action to mitigate harm; and ü Contact information Chanderraj Law Offices HIPAA Compliance Presentation 18

19 Notification to the Secretary Determined by Number of Individuals Involved Individuals Involved Notification By 500 or More 60 Days Less than 500 Following End of Calendar Year Chanderraj Law Offices HIPAA Compliance Presentation 19

20 Changes to Breach Notification Rule Presumption of breach unless CE demonstrates low probability of harm based on risk assessment Factors to be Considered Type and amount of PHI involved Scope Identity of the recipient Intentional or unintentional Steps taken to mitigate Chanderraj Law Offices HIPAA Compliance Presentation 20

21 The Enforcement Rule Increased enforcement and reduced discretionary authority for willful neglect Ø OCR must investigate a complaint when a preliminary review of the facts indicates a possible violation due to willful neglect Ø Secretary must undertake a full HIPAA compliance review when a preliminary review of the facts indicates a possible violation due to wilful neglect Chanderraj Law Offices HIPAA Compliance Presentation 21

22 Civil Monetary Penalties Categories of Violations and Respective Penalty Amounts Available Violation Category Each Violation Cap applicable to all such violations of an identical standard in a calendar year Did Not Know $100 $50,000 $1,500,000 Reasonable Cause $1,000 $50,000 $1,500,000 Willful Neglect-Timely Corrected $10,000 $50,000 $1,500,000 Willful Neglect-Not Timely Corrected $50,000 $1,500,000 Chanderraj Law Offices HIPAA Compliance Presentation 22

23 Factors determining amount of CMP Nature and extent of the violation / resulting harm Entity s history of non-compliance and financial condition Use of corrective action plans Defenses Not due to willful neglect Timely corrected Chanderraj Law Offices HIPAA Compliance Presentation 23

24 Criminal Penalties Tier Potential Jail Sentence Unknowingly or with reasonable cause Under false pretenses Up to one year Up to five years For personal gain or malicious reasons Up to ten years Chanderraj Law Offices HIPAA Compliance Presentation 24

25 Recent Enforcement Trends November December COMPLAINTS No Violation Resolved Ineligible Complaints Complaints Ineligible Resolved No Violation Chanderraj Law Offices HIPAA Compliance Presentation 25

26 Resolution Expense: The Cost to Settle Recent Agreements & Civil Money Penalties (CMP) Date Entity Amount Dec. 26, 2013 Aug. 14, 2013 Adult & Pediatric Dermatology, P.C. Affinity Health Plan, Inc. $150,000 $1,215,780 July 11, 2013 WellPoint, Inc. $1,700,000 June 13, 2013 Shasta Regional Medical Center $275,000 May 31, 2013 ISU $400,000 Apr. 17, 2012 Phoenix Cardiac Surgery, P.C. $100,000 Note: No Resolution Agreements or CMPs Involving Nevada Entities Chanderraj Law Offices HIPAA Compliance Presentation 26

27 Avoiding Civil Money Penalties Best Defense = Planning ü Conduct an overall assessment of Current HIPAA Compliance ü Generally revise Operational procedures & forms affected by HIPAA Mega rule Training & Education ü Designate Compliance Officer & Committee ü Develop Communication & Reporting Systems ü Conduct Periodic Audits ü Evaluate & Enforce Compliance Efforts Chanderraj Law Offices HIPAA Compliance Presentation 27