HIPAA Compliance: Are you prepared for the new regulatory changes?

Transcription

1 HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Baker Tilly Virchow Krause, LLP

2 2 Your Presenters Dan Steiner, Manager MBA, CPA, CFE, ARM >Dan Steiner is a Manager in the Risk Services Group >Specializes in enterprise risk management, internal controls, risk transfer solutions, HIPAA compliance, Service Organization Control (SOC) reporting, crisis management, and business continuity 2

3 3 Your Presenters Christine Duprey, VP and Co-Owner >Chris has over 19 years of health care experience >Has spent the past six years consulting many organizations in the public and private sector through their HIPAA initiatives in assessment, planning and execution. >Performed business analysis for hospital practices to streamline business processes, increasing efficiency and increase awareness to employees to eliminate waste within their processes. 3

4 4 Your Presenters Megan Blaser, Consultant >Has a Master s of Arts and Education in Adult Education and Training >Helps companies with their compliance initiatives by conducting risk assessment > provides the necessary education and training for companies to successfully implement their compliance plans 4

5 Agenda > HIPAA Regulation Integration and Relationship > HIPAA - Omnibus Final Rule Modification Impacts to Privacy, Security, Breach and Enforcement Business Associate Responsibilities Satisfactory Assurances Breach Notification (Final Rule) Civil Monetary Penalties > Unsecured PHI > Security and Privacy Rule Overview > Compliance Readiness > Next Steps > Appendix 5 5

6 A Brief History of HIPAA HIPAA Health Insurance Portability and Accountability Act (1996) Security (2003) American Recovery and Reinvestment Act ARRA (2009) Division A- Appropriations Provisions Title XIII Health Information Technology Improved Privacy and Security Provisions Electronic Data Interchange Privacy (2000) Genetic Information Nondiscrimination Act GINA (2008) Patient Protection and Affordable Care Act HIPAA Final Omnibus Rules Published January 25 th, 2013 (Effective March 26 th, 2013, compliance required by September 23 rd, 2013) 6

7 Modifications Privacy Security > Modifies the notice of privacy practices > Modifies the individual authorization > Enables access to decedent information > Sets limitations on use and disclosure of PHI for Marketing and Fundraising > Modifies Privacy to incorporate GINA Act requirements > Expands individual rights > Business Associates are directly liable > Business Associates are directly liable > Modifies Security regulations to include business associate requirements of ARRA Breach Notification > Final rule on Breach Notification Enforcement > Increased and tiered Civil Money Penalties > Adopt HITECH Act enhancements to the Enforcement Rule addressing willful neglect 7 7

8 Business Associates > Business Associate a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate. > Examples of Business Associates include: Third Party Administrators Patient Safety Organizations - New Print and Mail Services IT Troubleshooting and Support Shredding and Disposal Data Management Companies 8 8

9 Business Associate Requirement Changes 1996 Covered entity must obtain the written assurances (Business Associate Agreement) monitoring not required ARRA deems the Business Associate just as responsible for the execution of the Business Associate Agreement and applies Civil Monetary Penalties to BA s Business Associates are responsible to obtain BAA with their subcontractors. May need to provide or obtain satisfactory assurances that they or their subcontractors are compliant. 9 9

10 Business Associate Agreement Compliance due date September 23, 2013 or September 23, 2014? 10

11 Where are you? >Have all Business Associates been identified?» Are the Business Associate Agreements updated and executed since 2009? >Have you identified situations when you are the Business Associate to others?» Are the Business Associate Agreements updated and executed since 2009 >What work is left?» Updating and re-execution of ALL Business Associate Agreements by 9/23/2013» Agreements executed by January 25, 2013 will have until 9/23/2014 to complete these BAAs. 11

12 Polling Question > Have you identified the relationships where you are the business associate and others are a business associate to you? A. Yes B. No C. Somewhat D. Not sure 12 12

13 Satisfactory Assurances > Organizations will need to determine the level of satisfactory assurances it will need to feel comfortable that compliance is met. Direction has not been provided as to the level of satisfactory assurances; Business Associates will need to consider for Subcontractors; Implementation; and Oversight > Expectations from Covered Entity s by September 23, 2013 Satisfactory Assurances 13 13

14 Breach Notification The Final Rule was published on January 25, 2013 to be effective on March 23, 2013 with compliance required by September 23, In 1996 HIPAA did not require notification when patient PHI was inappropriately disclosed, covered entities may have chosen to include notification as part of the mitigation process. In 2009 ARRA/HITECH does require notification of certain breaches of unsecured PHI to the following: Individuals Department of Health and Human Services (HHS) Media On January 25, 2013, the Final Breach Notification Rule was published, requiring an entity to assess the probability that the protected health information has been or may be further compromised based on a risk assessment

15 Risk Factors to Consider for Breach Notification (1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification (2) The unauthorized person who used the protected health information or to whom the disclosure was made (3) Whether the protected health information was actually acquired or viewed (4) The extent to which the risk to the protected health information has been mitigated 15 15

16 Application of Provisions and Penalties to Covered Entities CE responsible for BA, and subject to fines and penalties. HITECH/ARRA penalties introduced by increasing the fines and levels of penalties. Omnibus Rule- CE & BA responsible for the compliance and satisfactory assurances. Final modification which enhanced civil monetary penalties. Example: How will fines be assessed? > Company X was in violation, and were fined according to Tiered description. > Company X was in violation, Company X will be evaluated to determine the degree of the penalties

17 Penalty Considerations > Nature and extent of the violation > Nature and extent of the harm resulting from the violation > History or prior compliance with the administrative simplification provision, including violations by the covered entity or business associate, consideration of which may include but is not limited to: Financial condition of the covered entity or business associate Such other matters as justice may require 17 17

18 Unsecure PHI > Unsecured PHI: Means PHI that is not secured through the use of a technology or methodology specified by the Guidance Specifying the Technologies and Methodologies that render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under HITECH/ARRA; Request for information

19 Compromising PHI Data Data in Motion data that is moving through a network, including wireless transmission; Data at Rest data that resides in databases, file systems, and other structured storage methods; Data in Use data in the process of being created, retrieved, updated, or deleted; or Data Disposed discarded paper records or recycled electronic media 19 19

20 Have you implemented? > Encryption Recommendations for the industry encryption standards to meet definition for secured PHI > Destruction Recommendations for the industry destruction standards to meet the definition of secured PHI > Storage Recommendations for the industry storage of electronic media to meet the definition of secured PHI 20

21 Polling Question > Based on our discussion are you comfortable that your organization is adequately protecting PHI? A. Yes B. No C. Still not sure 21 21

22 Security Rules > Applicability. > Definitions. > Security Standards: General Rules. > Administrative Safeguards. > Physical Safeguards. > Technical Safeguards. > Organizational Requirements. > Policies and Procedures and Documentation Requirements. > Compliance Dates for the Initial Implementation of the Security Standards. Standards in bold represent the requirements applicable to the Business Associate via the ARRA 22 22

23 Have you completed necessary tasks? > Has the Security Risk Assessment been Performed? Have the Risks, Threats and Vulnerabilities been identified? Have controls been implemented to mitigate the risk identified? > Has Access to systems, workstations, programs been assessed? Have appropriate authorization and supervision of access has been implemented? Have workforce members been identified? > Has the Contingency Plans been developed and updated? Do they include: Back-up plans, disaster recovery, emergency mode of operation plans > Has the Security Awareness Training been Completed? Security Reminders Protection from Malicious Software Log-in Password Management 23

24 Privacy Rules Uses and Disclosures > Applicability > Definitions > Uses and Disclosures of PHI: General Rules > Uses and Disclosures: Organizational Requirements > Consent for Uses or Disclosures to Carry Out Treatment, Payment, or Health Care Operations > Uses and Disclosures for which an Authorization is Required > Uses and Disclosures Requiring an Opportunity to Agree or to Object > Uses and Disclosures for which an Authorization, or Opportunity to Agree or Object is Not Required > Other Requirements Relating to Uses and Disclosures of PHI 24

25 Privacy Rules Patient Rights > Notice of Privacy Practices for PHI > Rights to Request Privacy Protection for PHI > Access of Individuals to PHI > Amendment of PHI > Accounting of Disclosures of PHI > Administrative Requirements > Transition Provisions > Compliance Dates for Initial Implementation of Privacy Standards. 25

26 COMPLIANCE READINESS Are you a Compliant Entity?

27 Required Tasks Performing the PHI Trail Privacy HIPAA has been around for 10 years, lack of these basic tasks are Willful Neglect OCR Speaker Conduct the Gap Assessment to: > Create the PHI trail for information created, received, accessed, modified, stored, transmitted, or destroyed > Analyze uses and disclosures throughout the organization > Identify gaps in policies, procedures and current processes > Identify and execute BAAs with Business Associates Create Necessary Documents: > Notice of Privacy Practices > Authorization for the Release and Disclosure of PHI > Policies and Procedures for each Privacy requirement, standard and implementation specification > Create minimum necessary rules > Perform annual training and education > Create final compliance documentation Performance of an Annual Assessment to mitigate risks of non-compliance, ensure policy reflects practice and employees are educated 27

28 Required Tasks Performing the e-phi Trail Security Conduct Security Risk Assessment to: > Analyze electronic use and disclosure of e-phi > Determine mechanisms utilized to create, transmit, store and/or destroy information > Review current access authorizations and supervision > Review contingency plans > Assess risks, threats and vulnerabilities Create Necessary Documents: > Document compliance assessment findings > Identify implementation and remediation tasks > Policies and Procedures for each Privacy requirement, standard and implementation specification > Create final assessment documentation Complete Remediation Tasks > Perform annual Security Awareness and Training > Perform system control tests > Implement remediation controls > Implement secure transmissions > Implement physical facility securities 28

29 Compliance Planning How would exposure and risk of your company reputation affect your business if there was a breach or penalty for non-compliance? > Build a compliance plan that ensures compliance can be maintained > Daily observance and enforcement of the Privacy and Security regulations are the best source of maintaining compliance > Annual Activities should include: > Compliance review and assessments > Training for Privacy and Security Awareness > Security risk assessments > Contingency planning and testing > Policy and procedure review and modification > Control remediation and implementation > Budget process should include dollars for the daily observance and enforcement, annual assessments and remediation tasks > New Products or Services > Keep compliance on the front end and avoid costly mistakes in product development > Test the compliance components to ensure they meet the requirements for securing PHI 29

30 Polling Question > Do you feel confident that if the OCR were to audit your company today, you would not be left with a fine or penalty? A. Yes B. No C. Not sure 30

31 Next Steps > Make a plan for compliance > Assess the Business Associate Relationships > Update all existing Business Associate Agreements > Obtain signatures from all parties > Complete necessary requirements, standards and implementation specifications > Train all workforce members and management > Develop, or modify all Policies and Procedures > Determine the satisfactory assurances required from your subcontractors > Make a plan to budget and maintain compliance 31

32 Contact Information Christine Duprey Co-Owner/Partner CARIS Innovation, Inc. (920) (office) (920) (mobile) Megan Blaser Consultant CARIS Innovation, Inc. (920) (office) (920) (mobile) Dan Steiner Manager Baker Tilly (920) (office) (608) (mobile) 32

33 APPENDIX A Security Regulations

34 Administrative Safeguards > (1) Standard: Security Management Practices Implement policies and procedures to prevent, detect, contain and correct security violations Implementation Specifications: Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) > (2) Standard: Assigned Security Responsibility 34

35 Administrative Safeguards > (3) Standard: Workforce Security Implement policies and procedures to provide workforce with the access they need and prevent those workforce members from accessing information they do not need Implementation Specifications: Authorization and/or Supervision (A) Workforce Clearance Procedures (A) Termination Procedures (A) 35

36 Administrative Safeguards > (4) Standard: Information Access Management Implement policies and procedures to provide access to PHI in accordance with Privacy Implementation Specifications: Isolating Health Care Clearinghouse Functions (R) Access Authorization (A) 36

37 Administrative Safeguards > (5) Standard: Security Awareness and Training Implement a security awareness and training program for all workforce members Implementation Specifications: Security Reminders (A) Protection from malicious software (A) Log-in Monitoring Access (A) Password Management (A) 37

38 Administrative Safeguards > (6) Standard: Security Incident Procedures Implement policies and procedures to address security incidents Implementation Specifications: Response and Reporting (R) > (7) Standard: Contingency Plan Establish and implement as needed policies and procedures for responding to an emergency or other occurrence that damages systems that contain PHI Implementation Specifications: Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) 38

39 Administrative Safeguards > (8) Standard: Evaluation Perform a periodic technical and non-technical evaluation > Standard: Business Associate Contracts and other arrangements Applicability of the Business Associate Agreement to the covered entity and those entities they do business with Implementation Specification: Written contract or other arrangement (R) 39

40 Physical Safeguards > (1) Standard: Facility Access Controls Implement policies and procedures that limit physical access to the electronic systems that contain information for the facilities in which they are housed while ensuring authorized access is allowed Implementation Specifications: Contingency Operations (A) Facility Security Plan (A) Access control and validation procedures (A) Maintenance Records (A) 40

41 Physical Safeguards > Standard: Workstation Use Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and physical attributes of the surroundings of a specific workstation or class of workstation that can access ephi. > Standard: Workstation Security 41

42 Physical Safeguards > Standard: Device and Media Controls Implement policies and procedures the govern the receipt and removal of hardware and electronic media that contain ephi iinto and out of a facility, and the movement of these items within the facility. Implementation Specifications: Disposal (R) Media re-use (R) Accountability (A) Data backup and storage (A) 42

43 Technical Safeguards > Standard: Access Control Implement technical policies and procedures for electronic information systems that maintain ephi to allow access only to those persons or software programs than have been granted access rights under Administrative Safeguards. Implementation Specifications: Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) 43

44 Technical Safeguards > Standard: Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi. Implementation Specifications: Mechanism to authenticate ephi (A) > Standard: Person or entity authentication Implement procedures to verify that a person or entity seeking access to ephi is the one claimed. 44

45 Technical Safeguards > Standard: Transmission Security Implement technical security measures to guard against unauthorized access to ephi that is being transmitted over an electronic communications network. Implementation Specifications: Integrity Controls (A) Encryption (A) 45

46 Organizational Requirements > Standard: Business Associate Contracts or Other Arrangements. Contracts between the covered entity and the business associates Implementation Specifications: Business Associate Agreements (R) > Standard: Requirements for Group Health Plans Ensuring plan documents are updated appropriately Implementation Specifications: Amend Plan Documents (R) 46

47 Policies and Procedures and Documentation Requirements > Standard: Policies and Procedures Implement reasonable and appropriate policies and procedures comply with the standards, implementation specifications, or other requirements of Security. > Standard: Documentation Maintain policies and procedures implemented to comply with Security in written (electronic) form; and If an action, activity or assessment is required by this subpart to be documented, maintain a written (electronic) record of the action, activity, or assessment. Implementation Specifications: Time Limit 6 years (R) Availability (R) Updates (R) 47

48 APPENDIX B Privacy Regulations

49 Uses and Disclosures of PHI: General Rules > (a) Standard. A covered entity or business associate may not use or disclose PHI, except as permitted or required by Privacy or by Compliance and Enforcement of part 160 of General Administrative Requirements > (b) Standard. Minimum Necessary > (c) Standard. Uses and Disclosures of PHI subject to an agreed upon restriction. > (d) Standard. Uses and Disclosures of De-Identified PHI > (e) Standard. Disclosures to Business Associates > (f) Standard. Deceased Individuals > (g) Standard. Personal Representatives > (h) Standard. Confidential Communications > (i) Standard. Uses and Disclosures Consistent with Notice > (j) Standard. Disclosures by Whistleblowers and Workforce Member Crime Victims 49

50 Uses and Disclosures: Organizational Requirements > (e)(1) Standard. Business Associate Contracts (e)(2) Implementation Specifications: Business Associate Contracts (e)(3) Implementation Specifications: Other Arrangements (e)(4) Implementation Specifications: Other Requirements for Contracts and Other Arrangements > (f)(1) Standard. Requirements for Group Health Plans (f)(2) Implementation Specifications: Requirements for Plan Documents (f)(3) Implementation Specifications: Uses and Disclosures > (g)(1) Standard. Requirements for a Covered Entity with Multiple Covered Functions. 50

51 Consent for Uses or Disclosures to Carry out Treatment, Payment or Health Care Operations > (a) Standard. Permitted Uses and Disclosures > (b) Standard. Consent for Uses and Disclosures Permitted (c) Implementation Specifications: Treatment, Payment or Health Care Operations 51

52 Uses and Disclosures for which an Authorization is Required > (a) Standard. Authorizations for Uses and Disclosures (b) Implementation Specifications: General Requirements (c) Implementation Specifications: Core Elements and Requirements 52

53 Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object > (a) Standard. Uses and Disclosures for Facility Directories > (b) Standard. Uses and Disclosures for Involvement in the Individual s Care and Notification Purposes. 53

54 Uses and Disclosures for which an Authorization, or Opportunity to Agree or Object is Not Required > (a) Standard. Uses and Disclosures Required by Law > (b) Standard. Uses and Disclosures for Public Health Activities > (c) Standard. Disclosures about Victims of Abuse, Neglect, or Domestic Violence > (d) Standard. Uses and Disclosures for Health Oversight Activities > (e) Standard. Disclosures for Judicial and Administrative Proceedings > (f) Standard. Disclosures for Law Enforcement Purposes > (g) Standard: Uses and Disclosures About Decedents > (h) Standard: Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation Purposes > (i) Standard: Uses and Disclosures for Research Purposes > (j) Standard: Uses and Disclosures to Avert a Serious Threat or Safety > (k) Standard: Uses and Disclosures for Specialized Government Functions > (l) Standard: Disclosures for Workers compensation 54

55 Other Requirements Relating to Uses and Disclosures of PHI > (a) Standard. De-identification of PHI (b) Implementation Specifications: Requirements for De-Identification of PHI. (c) Implementation Specifications: Re-identification > (d)(1) Standard. Minimum Necessary Requirements (d)(2) Implementation Specifications: Minimum Necessary Uses of PHI (d)(3) Implementation Specifications: Minimum Necessary Disclosures of PHI (d)(4) Implementation Specifications: Minimum Necessary Requests for PHI (d)(5) Implementation Specifications: Other Content Requirement > (e)(1) Standard. Limited Data Set (e)(2) Implementation Specifications: Limited data set (e)(3) Implementation Specifications: Permitted Purposes for Uses and Disclosures (e)(4) Implementation Specifications: Data Use Agreement > (f)(1) Standard. Uses and Disclosures for Fundraising (f)(2) Implementation Specifications: Fundraising Requirements > (g)(1) Standard: Uses and Disclosures for Underwriting and Related Purposes > (h)(1) Standard: Verification Requirements (h)(2) Implementation Specifications: Verification 55

56 Notice of Privacy Practices for PHI > (a) Standard. Notice of Privacy Practices (b) Implementation Specifications: Content of Notice (c) Implementation Specifications: Provision of Notice (d) Implementation Specifications: Joint Notice by Separate Covered Entities (e) Implementation Specifications: Documentation 56

57 Rights to Request Privacy Protection for PHI > (a)(1) Standard. Right of an Individual to Request Restriction of Uses and Disclosures (a)(2) Implementation Specifications: Terminating a Restriction > (b)(1) Standard. Confidential Communications Requirements (b)(2) Implementation Specifications: Conditions of Providing Confidential Communications 57

58 Access of Individuals to PHI > (a) Standard. Access to PHI (b) Implementation Specifications: Requests for Access and Timely Action (c) Implementation Specifications: Provision of Access (d) Implementation Specifications: Denial of Access (e) Implementation Specifications: Documentation 58

59 Amendment of PHI > (a) Standard. Right to Amend (b) Implementation Specifications: Requests for Amendment and Timely Action (c) Implementation Specifications: Accepting the Amendment (d) Implementation Specifications: Denying the Amendment (e) Implementation Specifications: Actions on Notices of Amendment (f) Implementation Specifications: Documentation 59 59

60 Accounting of Disclosures of PHI > (a) Standard. Right to an Accounting of Disclosures of PHI (b) Implementation Specifications: Content of the Accounting (c) Implementation Specifications: Provision of the Accounting (d) Implementation Specifications: Documentation 60

61 Administrative Requirements > (a)(1) Standard. Personnel Designations (a)(2) Implementation Specifications: Personnel Designations > (b)(1) Standard. Training (b)(2) Implementation Specifications: Training > (c)(1) Standard. Safeguards (c)(2)(i) Implementation Specifications: Safeguards > (d)(1) Standard. Complaints to the Covered Entity (d)(2) Implementation Specifications: Documentation of Complaints > (e)(1) Standard. Sanctions. (e)(2) Implementation Specifications: Documentation > (f) Standard. Mitigation. > (g) Standard. Refraining from Intimidating or Retaliatory Acts > (h) Standard. Waiver of Rights > (i)(1) Standard. Policies and Procedures > (i)(2) Standard. Changes to Policies or Procedures (i)(3) Implementation Specifications: Changes in Law (i)(4) Implementation Specifications: Changes to Privacy Practices stated in the Notice (i)(5) Implementation Specifications: Changes to Other Policies or Procedures > (j)(1) Standard. Documentation (j)(2) Implementation Specifications: Retention Period > (k) Standard. Group Health Plan 61

62 Transition Provisions > (a) Standard. Effect of Prior Authorizations (b) Implementation Specifications: Effect of Prior Authorization for Purposes Other Than Research (c) Implementation Specifications: Effect of Prior Permission for Research > (d) Standard. Effect of Prior Contracts or Other Arrangements with Business Associates (e) Implementation Specifications: Deemed Compliance 62

63 Questions? Dan Steiner Christine Duprey Megan Blaser

64 Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought Baker Tilly Virchow Krause, LLP 64