White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Transcription

1 White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

2 CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate 4 Security Rule Applies Directly to Business Associates 4 Agreements with Business Associates 5 Administrative, Physical and Technical Safeguards 5 Administrative Safeguards 5 Physical Safeguards 5 Technical Safeguards 5 Breach Notification Rule 6 Privacy Rule Applies Directly to Business Associates 6 Planning for Compliance 7 Conclusion 8 References 8

3 Introduction This paper briefly outlines some of the key changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Omnibus Final Rule. The Final Rule imposes new obligations and direct liability on business associates to comply with HIPAA s Security and Privacy Rules. Covered entities and business associates have until September 23, 2013 to become fully compliant under the Final Rule. MerusCase keeps your data private and secure. It is the policy of MerusCase to be in strict compliance under HIPAA, the Final Rule, and other applicable state law. Because the MerusCase team works around the clock to ensure complete privacy of all client information, regardless of nature, you can rest assured that your data is safe, your clients are protected, and your firm maintains regulatory compliance. Brief Overview of HIPAA Final Omnibus Rule The long-awaited HIPAA Final Omnibus Rule (Final Rule), which went into effect on January 25, 2013, by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), greatly enhances patients privacy protection, provides individuals new rights to their personal health information, redefines breach and strengthens the government s ability to enforce the law. When the Final Rule was passed in January, HHS Secretary Kathleen Sebelius stated Much has changed in health care since HIPAA was enacted over fifteen years ago. The Secretary also stated that, The new rule will help protect patient privacy and safeguard patients health information in an ever expanding digital stage. HIPAA has been around for more than 15 years and was updated with the Omnibus Rule in March of To help safeguard against the breach of personal medical information, the HIPAA set standards for medical privacy that went into effect in The American Recovery and Reinvestment Act (ARRA), signed by President Obama in February 2009, established privacy requirements, which were hailed by many experts as the most sweeping change to the healthcare privacy and security environment since the original HIPAA Privacy rule. The Health Information Technology for Economic and Clinical Health (HITECH) Act sought to streamline healthcare and reduce costs 3

4 through the use of health information technology, and the healthcare industry had to comply with the HIPAA Privacy and Security Rules by establishing a risk management process and conducting annual risk assessments. security, as well as who is now subject to compliance under the Final socalled business associates and their subcontractors that do business with covered entities. business associates and the imposition of direct liability to business associates of covered entities for noncompliance with certain of the HIPAA Privacy and Security Rules. Moreover, under the current Rule, It is up to you to determine if you are a business associate. MerusCase can be your trusted partner in achieving compliance. of contracting with a covered entity. Unlike the previously narrower was expanded to cover any entity that creates, receives, maintains, or transmits protected health information (PHI) for a function or activity regulated by HIPAA, which includes claim process, or administration, data analytics, processing, as well as other categories. Health information organizations, e-prescribing gateways, and other persons that provide data transmission services with respect to PHI and require routine access to PHI, are also covered. a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a business associate. According to the preamble in the Final Rule, this includes agents of companies that are not under contract, as well as persons who act on behalf of the subcontractors. 4

5 Security Rule Applies Directly to Business Associates The Security standards were also modified to include business associates expressly, with direct liability for violations. There were also certain changes made to the section that addresses routine maintenance. Requirement for administrative safeguards was also updated to cover business associates. Agreements with Business Associates Under the Final Rule, a covered entity is not required to obtain satisfactory assurances from a business associate that is a subcontractor. Rather, business associates are required to obtain satisfactory assurances that the subcontractor will properly safeguard information if the subcontractor is to create, receive, maintain, or transmit electronic PHI on behalf of the business associate. This directly imposes the burden regarding subcontractors on the business associate, rather than the covered entity. A Business Associate Agreement is required of all your vendors. Administrative, Physical and Technical Safeguards Under the Final Rule, business associates are directly required to comply with administrative, physical and technical safeguards in order to address specific security issues and solutions implemented as they relate to transmitting and storing patient data. Safeguard procedures include the following: HIPAA compliance requires adherence to strict guidelines and regular audits. It encompasses procedural, technical and prsonnel training issues. Administrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangements 5

6 Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Technical Safeguards Access Controls Audit Controls Integrity Person or Entity Authentication Transmission Security The HIPAA security standards do not specify specific technology requirements, so each affected organization must assess its own risk and develop security measures accordingly. Organizations must then certify their security programs though an internal procedure or by a private accreditation company. Thus, to be in full compliance with the HIPAA Security Rule and ensure Administrative, Physical, and Technical Safeguards are implemented that will lead to HIPAA compliance, a comprehensive and effective information security program is necessary. Breach Notification Rule Under the Final Rule, business associates must conduct an incident risk assessment of every data security incident involving PHI. However, instead of determining the risk of harm, the risk assessment determines the probability that PHI has been compromised. The factors that should be considered in the making of the risk assessment include: Disclosure is required in the event patient healthcare information is compromised. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of reidentification; The unauthorized person who used the protected health information or to whom the disclosure was made; Whether the protected health information was actually acquired or viewed; and The extent to which the risk to the protected health information has been mitigated. 6

7 Privacy Rule Applies Directly to Business Associates The Final Rule also applies parts of the Privacy Rule directly to business associates. Most notably, business associates must not use or disclose PHI, except as permitted under the Privacy Rule. Business associates may not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity. Business associates must disclose PHI to HHS to investigate or determine compliance, and must disclose PHI to the covered entity, individual or individual s designee as necessary to satisfy a covered entity s obligations to respond to an individual s request for an electronic copy or electronic PHI. HIPAA affects everyone. Business associates must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose when using, disclosing or requesting PHI. Finally, business associates must directly enter into a business associate agreement with a subcontractor that creates, receives, maintains, or transmits PHI on the business associate s behalf. Finally, under the Final Rule, business associates are subject to the HIPAA Breach Notification Rule, which imposes a duty on business associates to notify covered entity of a breach of unsecured PHI. Planning for Compliance The Final Rule puts renewed pressure on covered entities and new burdens on business associates to act now to achieve compliance with HIPAA and breach notification requirements. With the strengthened enforcement powers by the OCR, business associates and healthcare organizations need to demonstrate and document this compliance. There are five immediate steps that can be taken to provide a comprehensive foundation for compliance under the Final Rule: Implement HIPAA compliant policy and procedure by September Clearly define a policy-driven security management program that can be incorporated into your business processes - Identify and designate the people and the technology controls necessary to satisfy the company s security policies and procedures. Conduct a complete risk assessment First identify all PHI and determine the risks to PHI security that exist within the company and spell out all the controls you have in place for safeguarding PHI. Conduct a comprehensive HIPAA Security Assessment to 7

8 Validate security controls Provide for the monitoring and reporting of controls on personnel actions, process controls, and information technology controls. Create a plan to mitigate major risks. Carry out, monitor, and document annual privacy and security risk assessments, including risks and vulnerabilities to the Clearly identify, manage, and document compliance of business associates and their downstream subcontractors. assessments that determine if an incident is a reportable breach or not. Demonstrate that the proper steps were taken to correct Ensure that all employees and management are trained on their roles and responsibilities with respect to the Security Rule and PHI. Maintain an ongoing program for monitoring, auditing, and reporting of the operational processes for HIPAA Compliance. Conclusion should be of great concern to business associates and subcontractors. HIPAA compliance plan. in enforcing HIPAA and now has even greater enforcement power at and procedures in place to ensure compliance. MerusCase adheres to the policies and procedures within MerusCase s HIPAA Compliance Policy Manual, and will continue to achieve further compliance under the Final Rule to further enhance and increase safeguards to protect the privacy of all client information. References Fed. Reg (Jan. 25, 2013) /pdf/ pdf 2. HIPAA Business Associate Agreement is available in the Forms & Template section within MerusCase. It will automatically include 8