Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

Transcription

1 Key HIPAA HITECH Changes Gina Kastel, Partner, Health and Life Sciences

2 Agenda Business Associates Restrictions on Disclosures Access to PHI Notice of Privacy Practices Fundraising 2

3 Business Associates 3

4 Prior Business Associate Definition Definition: Person who, on behalf of a covered entity, but not as a member of its workforce, Performs a function or activity involving the use or disclosure of individually identifiable health information, including claims processing, data analysis, utilization review, quality assurance, billing, benefit management, practice management or repricing; or Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services 4

5 Business Associate Definition Expanded Specific organizations treated as BAs Health information organizations (such as health information exchanges), patient safety organizations, e-prescribing gateways, vendors that offer personal health records on behalf of a covered entity Entities that maintain PHI are BAs (in addition to those that create, receive or transmit PHI) Not ISPs or couriers (UPS, etc.) transient Data storage companies (digital or paper) are BAs (narrows conduit exception) whether or not they view the information they hold persistent Subcontractors of BAs are also BAs No limit on number of links in subcontractor chain 5

6 Business Associate Compliance Obligations BAs are subject to limited provisions of Privacy Rule BA is not a covered entity Liable for implementing and following BAA, including with subcontractors, providing access to individuals, disclosing information to HHS, complying with minimum necessary standard BAs subject to most of Security Rule Implement physical, technical, and administrative safeguards for e-phi Appoint security official OCR can investigate and impose penalties against BAs 6

7 Business Associate Agreements Failure to have agreement with CE or subcontractor is Privacy Rule violation (subcontractor agreement is between BA and subcontractor) Can use and disclose PHI only as described in BAA Be sure all functions described de-identification, data aggregation, BA s own management and administration New content requirements Notification of breaches of unsecured PHI Comply with Security Rule BA will enter into BAA with subcontractors Describe any Privacy Rule obligations BA performs for CE Minimum necessary Beware of BA acting as agent of CE (e.g., delegate of HIPAA obligations) 7

8 Individual Rights Restrictions & Access 8

9 Individual Rights - Restrictions Individual can restrict disclosures to health plan of PHI related to item or service for which individual paid out of pocket in full Providers must have way to identify (flag) affected records, but do not have to segregate them Provider can disclose PHI as required by law (to Medicare for audits) Individual responsibility to request, though providers are encouraged to educate and assist Individual can pay with FSA or HSA and still request a restriction 9

10 Individual Rights - Access Individuals can request access to PHI in electronic form Applies to all e-phi in a designated record set, not just EHR Must provide the format requested by individual if readily producible in that format or another format agreed by individual and CE Individual can have information sent directly to third party by requesting in writing Can use unencrypted so long as individual is advised of the risks Can charge costs for labor and supplies, but no retrieval fee 30 day response time, with 30 day extension 10

11 Notice of Privacy Practices 11

12 Notice of Privacy Practices Updates to NPP required to address issues in Final Rule Security breach Restrictions of disclosures for self-pay items and services (only health care providers) Statement indicating the following situations that require authorization Fundraising Marketing Sales of PHI Psychotherapy notes (unless CE doesn t maintain or record) Health plans that perform underwriting must include a statement that they are prohibited from using or disclosing genetic information for such purposes Remember, underwriting is defined broadly to include wellness incentives 12

13 Notice of Privacy Practices New NPP must be ready by compliance date (September 23, 2013) Considered material change, so must make available Post to website Plans can mail in next annual mailing Participants must opt in to receive notice electronically. 13

14 Fundraising 14

15 Fundraising Original rule permitted CE to use or disclose to a BA or to an institutionally related foundation demographic information to raise funds for CE s own benefit Demographic information included name, address, other contact information, age, gender, and insurance status, not diagnostic information Had to include fundraising in Notice of Privacy Practices and tell individual how to opt out of future fundraising 15

16 Fundraising Final rule expands demographic information to include treating physician, outcome, department (limited diagnostic information) Individual must be given clear and conspicuous notice of right to opt out of future fundraising Method to opt out may be determined by CE, as long as it does not impose an undue burden or more than nominal cost (toll free number, address) Written letter is an undue burden, pre-printed pre-paid post card okay Can provide process to opt back in 16

17 Questions and Discussion Gina Kastel, Partner Faegre Baker Daniels LLP