THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

Transcription

1 THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC Consulting Legal Notice Any recommendations offered are intended to be advisory only and should not be construed as legal advice. MMIC does not undertake to establish any standards of medical practice and makes no warranty that recommendations provided guarantee compliance with applicable rules and regulations. MMIC assumes no responsibility for regulatory or administrative actions, investigations, findings, fines or penalties. 1

2 Learning Objectives Attendees will learn about Privacy and security interdependencies Highlights of the Final Rule How the Final Rule supports integration Agenda Review of HIPAA Regulations HIPAA in practice Overview of the Final Omnibus Rule Choreographing privacy and security HIPAA Terms BA Business Associate BAA Business Associate Agreement CE Covered Entity CMP Civil Money Penalties GINA Genetic Information Nondiscrimination Act HHS Department of Health and Human Services HIPAA Health Insurance Portability and Accountability Act HITECH Health Information Technology for Economic and Clinical Health OCR Office for Civil Rights PHI Protected Health Information 2

3 A Look Back You just can't take a crash course to be a tango dancer in a movie. - Robert Duvall History of HIPAA History of HIPAA

4 History of HIPAA History of HIPAA History of HIPAA

5 Federal and State Law Federal State 5

6 External Pressures Never dance in a puddle when there's a hole in your shoe... John D. Rhodes, author External Pressures Slow pace of regulation Increased EHR adoption Increased privacy awareness Increased enforcement Increased penalties STRENGTH. STRENGTH. SERVICE. SERVICE. KNOW-HOW. KNOW- VISION. The main problem is technology is moving faster than privacy laws can be written. James Pyles, Co-founder and Principal Law Firm of Powers, Pyles, Sutter, & Verville Source: 2nd International Summit on the Future of Health Privacy 6

7 CMS EHR Incentive Program Advanced Clinical Processes Improved Outcomes 2015 Data Capturing and Sharing STAGE 2 STAGE STAGE 1 EHR Adoption on the Rise ( ) Office-Based Provider Adoption HITECH Source: US Department of Health and Human Services, Office of the National Coordinator for Health IT, Health IT Dashboard EHR Adoption on the Rise ( ) Hospital Adoption HITECH Source: US Department of Health and Human Services, Office of the National Coordinator for Health IT, Health IT Dashboard 7

8 Increasing Public Awareness of Privacy Issues Ease of Access to File Complaints Number of Complaints Increasing ,190 Complaints since

9 HITECH HITECH Enforcement The HITECH Impact Enforcement Increased Civil Monetary Penalties Business Associate Compliance Audit Program Patient Rights To Access and Restrict Accounting of Disclosures Increased Privacy Provisions for Research, Marketing, Fundraising Prohibition of Sale of Patient Information without Authorization Enforcement The HITECH Impact Enforcement Increased Civ il Monetary Penalties Business Associate Compliance Audit Program Patient Rights To Access and Restrict Accounting of Disclosures Increased Privacy Provisions for Research, Marketing, Fundraising Prohibition of Sale of Patient Information without Authorization Enforcement Activities Rising Total Resolutions Investigations Corrective Actions

10 DUE DILIGENCE Imposition of Civil Money Penalties (CMP) HIGH Violation Category All Violations Prohibition of Penalty Each Violation of Identical Provision 30 Days Min Max Max / Year to Correct Did Not Know Allowed $100 $50,000 Reasonable Cause Allowed $1,000 $50,000 Willful Neglect Corrected $10,000 $50,000 $1.5 Million LOW Willful Neglect Not corrected $50,000 $50,000 LOW HARM HIGH Note: Maximum can be imposed by State Attorneys General regardless of the type of violation. Resolution Agreements & CMP Reached Year Organization Payment/CMP Hospice of Northern Idaho $50,000 Massachusetts Eye and Ear $1,500, Alaska DHSS $1,700,000 Phoenix Cardiac Surgery $100,000 BCBST $1,500,000 UCLA Health System $ 800, Mass General $1,000,000 Cignet Health (CMP) $4,300, Management Services Org $35,000 Rite Aid Corp $1,000, CVS Pharmacy $2,250, Providence Health & Services $100,000 Resolution Agreements Contract with HHS Corrective Action Plan (CAP) Obligations for compliance Reporting requirements Resolution Payment (likely) Reserved to settle investigations with more serious outcome Civil money penalties (CMPs) May be imposed for noncompliance 10

11 Resolution Agreements & CMP Reached Year Organization Payment/CMP Hospice of Northern Idaho $50,000 5 Massachusetts Eye and Ear $1,500, Alaska DHSS $1,700,000 Phoenix Cardiac Surgery $100,000 3 BCBST $1,500,000 UCLA Health System # Increasing $ 800, Mass General $1,000,000 Cignet Health (CMP) $4,300,000 1 Management Services Org $35, Rite Aid Corp $1,000, CVS Pharmacy $2,250, Providence Health & Services $100,000 Resolution Agreements & CMP Reached Year Organization Payment/CMP $7,000,000 Hospice of Northern Idaho $50,000 Massachusetts Eye and Ear $1,500,000 $6,000, Alaska DHSS $1,700,000 $5,000,000 Phoenix Cardiac Surgery $100,000 $4,000,000 BCBST $1,500,000 $3,000,000 UCLA Health System $ Increasing $ 800, Mass General $1,000,000 $2,000,000 Cignet Health (CMP) $4,300,000 $1,000,000 Management Services Org $35, $- Rite Aid Corp $1,000, CVS 2008 Pharmacy $2,250, Providence Health & Services $100,000 Fast EHR Adoption + Slow Enforcement = Compliance Gap Rapid EHR Adoption

12 Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998 Time and Language Creates a Gap Privacy was easy Rules were prescriptive Privacy Security Delegated to IT Too technical EHR adoption low Low understanding Language is different Increased EHR adoption Fast adoption of technology Security policies still not in place HITECH Omnibus Supporting integration of Privacy and Security HIPAA Privacy and Security Language Privacy Personnel designation Training Safeguards Sanctions Mitigation Complaints to the covered entity Security Assigned security responsibility Security awareness and training Administrative, Physical, Technical Sanction policy Security Management Process Security incident procedures Activities should be aligned within a consistent compliance program. Documentation Remediation Responsibility Compliance Program Monitoring Training Enforcement Communication 12

13 Privacy Security In reality, activities are inconsistent. Documentation Remediation Responsibility Security Privacy Monitoring Training Enforcement Communication Who is leading the dance? Access to PHI Use and Disclosure Minimum Necessary Security Incidents & Breach Roles in incidence response Incident response plan Training & Coordinated Compliance efforts Highlights of the Final Omnibus Rule The problem is not making up the steps but deciding which ones to keep. Mikhail Baryshnikov 13

14 This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. Leon Rodriguez, Director HHS Office for Civil Rights Source: HHS Press Release, January 17, Highlights of the Final Omnibus Rule Business associates Individual rights Notice of privacy practices Breach notification Other changes Highlights of the Final Omnibus Rule Business associates Individual rights Notice of privacy practices Breach notification Other changes 14

15 Changes Business Associate Business associate Definition Direct liability Subcontractors Business Associate Definition Creates, receives, maintains or transmits PHI Providing professional services to or for the CE involving PHI Health information organization (HIEs), e-prescribing gateway or other person that provides data transmission services of PHI and requires routine access PHR vendors that provide service to CEs Subcontractors of BA Business Associate Covered Entity Business Associate Subcontractor 15

16 Business Associate Must comply with use/disclosure limitations in BAAs and those in Privacy Rule Direct HIPAA liability Comply with the entire Security Rule Technical Administrative Physical safeguards Business Associate Agreements Permitted and required use and disclosures Minimum necessary Implementation of appropriate safeguards Report breach to CE Disclose PHI to CE as necessary for CE to met obligation for individuals request for accountings Comply with Privacy Rule Minimum necessary Cooperate with HHS Require subcontractors agree to restrictions Business Associate Agreement Sample BAA on the OCR website Transition provisions if the BAA was effective before January 25, 2013 update by September 22, 2014 For new BAAs September 23,

17 Business Associate Tips Identify your business associates Take a broad view Review your BAAs If you don t have one get one Review what PHI BA is accessing Minimum necessary Plan for notification if there is a breach Highlights of the Final Omnibus Rule Business associates Individual rights Notice of privacy practices Breach notification Other changes Individual Rights Access information Electronic copy Notice Right to restrict disclosure 17

18 Individual Rights- Access 30 days Electronic copy of the record If requested In the form/format requested Must include all the ephi held in designated record set by the CE Include images or other data If there are security concerns CE not required to use the individuals portable device Encryption Unencrypted if advise of the risk and the patient agrees Individual Rights- Electronic Access If requested the CE must provide an electronic copy directly to another person designated by the individual Labor fees for copying (paper or electronic) Reasonable Cost-based Lower state costs apply Cannot charge for Costs of technology, data access storage Retrieval fee If there are security concerns CE not required to use the individuals portable device Individual Rights- Request Restrictions Patients have the right to restrict disclosing to health plan CE must agree to this if PHI is solely related to care that individual has paid for in full out of pocket Not required by another law Cannot release for health care operations or payment 18

19 Highlights of the Final Omnibus Rule Business associates Individual rights Notice of privacy practices Breach notification Other changes Notice of Privacy Practices - Requirements Statements about the sale of PHI, marketing and other purposes that require an authorization Statement that individual can opt out of fundraising The individuals right to request restrictions and CE must agree if the individual pays out of pocket in full Individuals right to receive notification when there is a breach Notice of Privacy Practices - Tips Review and update your NPP as necessary Make available to individuals Post the updated NPP in a clear and prominent location Provide new patients the updated NPP 19

20 Highlights of the Final Omnibus Rule Business associates Individual rights Notice of privacy practices Breach notification Other changes What is a Data Breach? An impermissible use or disclosure Compromises security or privacy of the PHI Poses a significant risk to the affected individual Risk can be financial, reputational, or other harm Exceptions Unintentional acquisition, access, or use of PHI by authorized workf orce member Inadv ertent disclosure between authorized workf orce members Good f aith belief that unauthorized indiv idual would not be able to retain inf ormation. Over 21.4 Million People Affected In reported breaches > 500 since September Theft (54%) Unauthorized Access/Disclosure (20%) Loss (11%) 4 Hacking (5%) 5 Improper Disposal (5%) 20

21 HITECH Omnibus Data Breach Notification Change Notification based on harm standard Harm can be Financial Reputational Other Notification is presumed for breach Notification is presumed for breach Unless low probability determined that PHI was compromised Breach Notification Rule - Finalized Without unreasonable delay (60 day) Breach is discovered on day it is known to CE or BA Specific requirements for written notification Notice to Media and OCR > 500 individuals Notification by BA to CE Individual notice Media notice > 500 Notice to OCR > 500 Annual notice to OCR for < 500 individuals Safe Harbor Provision of Breach Notification No notification necessary if limited data sets and other PHI are encrypted 21

22 Privacy And remember An incident is not a breach until determined to be one. Don t forget to coordinate efforts throughout the process. Security Coordinate Incident Response Define levels of incidents Understand when different response is required Is PHI or ephi involved? Define team responsibilities/roles Privacy and Security Officers Be prepared to respond quickly Investigation and document Document response Learn from process Example Steps for Response Plan 1. Define the incident 2. Stop the incident 3. Document the details 4. Impact determination who, what, etc. 5. Notify appropriate individuals and agencies 6. Manage the risks that may cause re-occurrence 22

23 Highlights of the Final Omnibus Rule Business associates Individual rights Notice of privacy practices Breach notification Other changes Other Changes and Administrative Requirements Marketing Sale of patient information Fundraising GINA Administrative requirements Marketing Marketing is to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service General rule CE must obtain a valid authorization before using or disclosing PHI for marketing Exceptions to this rule 23

24 Marketing - Exception Communications for the treatment of the patient by a health care provider Communications to describe a health related product or service that is included in benefits of the CE Sale of PHI Covered entity cannot disclose PHI without individual authorization in exchange for remuneration Includes direct and indirect Not limited to financial The authorization must state that the disclosure will result in payment to the entity Sale of PHI - Exceptions Exceptions Sale of business Payments to BA for services Required by law Research (if limited to cost to prepare and transmit PHI) Other disclosure where receive reasonable, cost-based fee to prepare and transmit PHI 24

25 Fundraising Notice of privacy practices must state the intent to make fundraising communications NPP must describe the individuals right to opt out Fundraising communication must include a clear and conspicuous opportunity for individual to elect not to receive further communication Cannot condition treatment on the individuals choice concerning further receipt of communications Incorporate this into NPP Plan for opt out mechanism Genetic Information Genetic Information Nondiscrimination Act of 2008 GINA Applies to health plans Expressly provides that genetic information is PHI Administrative Requirements Record retention and destruction policy Electronic discovery Disaster recovery policy Accounting of disclosures Policies addressing portable device internet use 25

26 Minimum Necessary Limit disclosure or use to the minimum necessary to accomplish the purpose under HITECH, minimum necessary rule satisfied only if limits PHI, to the extent practicable, to the limited data set. 76 Choreographing the Dance And those who were seen dancing were thought to be insane by those who could not hear the music. Friedrich Nietzsche A Plan for Implementing Changes Gap analysis Implementation plan Business associate agreements Forms Workforce training Monitor and enforce 26

27 Gap Analysis Inventory policies, forms, and BAs Determine scope of inventory to be updated Prioritize Checklist Business associates Individual rights Notice of privacy practices Breach notification Marketing Sale of patient information Fundraising GINA Implementation Plan Risk analysis Create plan for implementing changes Implement changes Document activities Business Associates Identify your business associates Involve departments Consider reviewing accounts payable vendor list Review your BA agreements Review what PHI BA is accessing Minimum necessary Plan for notification upon breach 27

28 Review Forms Assess and inventory Determine impact Individual rights NPP Marketing Research Update existing Develop new Train workforce Forms Checklist Example Patient bill of rights Notice of privacy practices NPP Acknowledgement Marketing authorization Fundraising authorization Research forms Implementing Effective Change Train Monitor Enforce Final Comments 28

29 Questions? Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Direct: Web: Trish Lugtu Senior Manager, MMIC Consulting Physician Consulting Services Direct: Web: 29