Breaches, Business Associates and Texting, Oh My! A HIPAA HITECH Update. Overview

Transcription

1 Breaches, Business Associates and Texting, Oh My! A HIPAA HITECH Update The Bittinger Law Firm Sutton Park Drive South Suite 201 Jacksonville, Florida January 13, 2015 Ann M. Bittinger, Esq. Ann@bittingerlaw.com 1 Overview 1. Background 2. Enforcement 3. Genetic Information 4. Clinical Research 5. Business Associates 6. Agency Concerns 7. New Breach Notification Standard 8. Individuals Electronic Copies Required Restrictions Marketing Fundraising Sale of PHI Notice of Privacy Practices 2 1

2 BACKGROUND 3 History Congress enacted the Health Insurance Portability and Accountability Act in Goals: Access to health insurance (portability) Protecting privacy of health information Promoting the standardization of health claims/efficiency Privacy Regulations: First proposed November 3, 1999; Finalized April 14, 2002 for most entities, with enforcement to start April 14,

3 HITECH Changes to HIPAA Part of the American Recovery and Reinvestment Act of 2007 (ARRA) Health Information Technology for Economic and Clinical Health Act $36 billion for HIT and HIE 5 Business Associates If an entity that is not a covered entity is doing something on behalf of you, and is not treatment, you need a BA Agreement with them. Applies to payment and health care operations Examples: Consultants to assist with audits Lawyers to assist with lawsuits; claims; collections Data processing Claims processing Accreditation Accounting 6 3

4 Privacy Plan Must have in place a plan to address HIPAA Privacy Nothing mandated: typically address privacy rights, oral communications, the method of handing out and tracking the Notice, document retention Training Designated Privacy Officer 7 Notice of Privacy Practices Must give to all patients at first date of service Explains the uses and disclosures of PHI at the entity Must contain certain language 8 4

5 Use when: Authorization not treatment, payment or health care operations not to a BA; and no other exception applies. Patient signs; must be plain language Must have certain language Cannot condition treatment on signing Must inform patients of their rights 9 Individual Rights Access: General rule: right to access Must act within 30 days Certain ground for denial, which are reviewable 10 5

6 Privacy Compliance and Enforcement A private practice denied an individual access to his records on the basis that a portion of the individual s record was created by a physician not associated with the practice no similar provision limits individuals rights to access their protected health information. Among other steps to resolve the specific issues, OCR required the practice to revise its access policy to affirm that patients have access to their record regardless of whether another entity created information contained within it. 11 Privacy Compliance and Enforcement An outpatient surgical facility disclosed a patient s PHI to a research entity for recruitment purposes without the patient s authorization or an IRB or privacy-board approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. OCR required the facility to revise its written policies and procedures regarding disclosures of PHI for research recruitment purposes to require valid written authorizations; retain staff; log the disclosure of patient s PHI. 12 6

7 Accounting/Log Individuals have a right to a list of disclosures made in the six years prior to the request (but not before the implementation date). Exceptions: To the patient Incidentals Authorized disclosures (signed authorization) National security Releases to BA s have to be tracked Content: date, name of recipient and address, description of info and purpose of disclosure Must act within 30 days. 13 Breach HITECH: first federal law mandating breach notification Florida does not have such a law; 45 do Applies to covered entities, business associates, PHR vendors and PHR service providers 14 7

8 Example of breach January 2010 BCBS of Tennessee October 2, 2009: alarm at offsite facility storing hard drives Investigation 3 days later reveals 57 missing hard drives containing audio copies of phone calls and video screen images BCBS notified 220,000; up to 500,000 may be affected Spent over $7 million to date Has to notify AGs in 32 states. 15 Background Official Title: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules AKA: The HITECH Final Omnibus Rule 16 8

9 Background Published January 25, pages Available in the Federal Register 78 FR Background Key Terms ARRA: American Recovery & Reinvestment Act BA: Business Associate CE: Covered Entity EHR: Electronic Health Record EPHI: Electronic Protected Health Information HIPAA: Health Insurance Portability and Accountability Act HITECH: Health Information Technology for Economic & Clinical Health PHI: Protected Health Information PHR: Personal Health Record 18 9

10 Background HITECH Timeline August 8, 1996: HIPAA signed into law. February 27, 2009: ARRA-HITECH signed into law July 14, 2010: Modifications to HIPAA Privacy, Security and Enforcement Rules under HITECH: Proposed Rule January 25, 2013: HIPAA HITECH Omnibus Final Rule Published in Federal Register Effective March 26, 2013 Compliance required by September 23, Background Purpose of Final Omnibus Rule Strengthen the privacy and security protection for individuals' health information; Modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; Modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and Make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities

11 ENFORCEMENT 21 Enforcement Department of Health and Human Services (HHS) AND State Attorney General can enforce HIPAA (e) HIPAA-HITECH Act gave SAG authority to bring civil actions on behalf of state residents for violations of HIPAA Privacy and Security Rules. SAGs may obtain damages on behalf of state residents or to enjoin further violations of HIPAA Privacy and Security Rules. SAGs are required to serve HHS 48 hours prior to filing an action and must include a copy of the complaint

12 Enforcement Mandatory Investigation If a preliminary review of the facts in a complaint or compliance review indicates a possible violation due to willful neglect, the Department of Health and Human Services Secretary (Secretary) is required to investigate the complaint or compliance review. Discretionary Investigation If the facts do not indicate a possible violation, further investigation or review is discretionary. 23 Enforcement Old Rule: Secretary was required to attempt to resolve noncompliance through informal means. New Final Omnibus Rule: Secretary now has discretion to choose between informal and formal resolution of investigations or compliance reviews. Secretary can move immediately to civil monetary penalty (CMP) and formal enforcement without first exhausting informal resolution efforts, especially for willful neglect violations

13 Enforcement Stronger Penalties for Violations December 28, 2000 Penalties ranged from $100 - $25, Federal Register Vol. 64, No. 250 January 25, 2013 Penalties range from $100 - $1,500, Federal Register Vol. 64, No Enforcement Civil Monetary Penalty Levels Violation Each Violation All Identical Violations per Calendar Year Did Not Know $100-$50,000 $1,500,000 Reasonable Cause $1,000-$50,000 $1,500,000 Willful Neglect- Corrected Willful Neglect- Not Corrected $10,000-$50,000 $1,500,000 $50,000-Upward $1,500,

14 Enforcement Factors Used to Determine CMP Amount 1) Nature of the violation Secretary may now consider number of individuals affected. 2) Nature and extent of the resulting harm Secretary may now consider reputational harm. 3) History of prior compliance with HIPAA administrative simplification standards Secretary may now consider previous indications of noncompliance, not just previous violations. 4) Financial condition of the CE or BA 27 Enforcement Affirmative Defenses If a criminal penalty has been imposed on a CE or BA for a violation of HIPAA, Secretary may NOT impose a CMP for the same act. Violation must actually have been punished, not merely punishable For violations PRIOR to February 18, 2009: Secretary may NOT impose a CMP if no willful neglect AND it would have been unreasonable for CE to comply with HIPAA, despite ordinary business care and prudence. For violations AFTER February 18, 2009: Affirmative defense if violation is NOT due to willful neglect AND was corrected within 30 days of learning of the violation, or such additional period as determined by the Secretary

15 GENETIC INFORMATION 29 Genetic Information The Final Omnibus Rule incorporates the Genetic Information Nondiscrimination Act (GINA) into existing regulations. GINA is a 2008 federal law that prohibits health insurance issuers from using genetic information to determine insurance premiums or contributions and restricts the use of genetic information in the employment context

16 Genetic Information Under the Final Omnibus Rule: Genetic information must now be treated as PHI. Group health plans, health insurance issuers, or issuers or Medicare supplemental policies are prohibited from using/disclosing genetic information for underwriting purposes. Discrimination in provision of health insurance based on genetic information is prohibited. 31 CLINICAL RESEARCH 32 16

17 Clinical Research De-identification of PHI New Final Omnibus Rule discusses two methods to satisfy the Privacy Rule s deidentification standard 1) Expert Determination 2) Safe Harbor 33 Clinical Research Compound Authorizations Allows a CE to combine conditioned and unconditioned authorizations for research SO LONG AS the combined authorization clearly: differentiates between the conditioned and unconditioned research components AND allows the individual the option to opt in to the unconditioned research activities

18 Clinical Research Authorizations for Future Research Old Rule Research authorizations needed to be study specific. New Final Omnibus Rule Research authorizations need NOT be study-specific, provided that they describe future uses or disclosures sufficiently to enable individuals to reasonably expect that their PHI could be used or disclosed for future research. 35 BUSINESS ASSOCIATES 36 18

19 Business Associates Expanded Definition A business associate includes a person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Includes physical storage facilities AND Companies that store electronic PHI in the cloud. 37 Business Associates Expanded Definition (cont.) BAs now expressly include: Health information organizations, E-prescribing gateways, Entities that provide data transmission services to CEs AND routinely require access to PHI PHR vendors that provide services to CEs, Subcontractors 38 19

20 Business Associates BAs Now Subject HIPAA Security Rule s technical, administrative, and physical safeguard requirements now apply to BAs. HIPAA Privacy Rule s use or disclosure limitations now apply to BA s. Criminal and civil liabilities for violations. 39 Business Associates A BA must disclose PHI to: 1) HHS for a compliance investigation, complaint investigation, or compliance review. 2) CE or individual when an individual requests an electronic copy of PHI, in order to satisfy the CE s obligations

21 Business Associates BAs must: 1) Notify CE of a breach of unsecured PHI 2) Make reasonable efforts to limit use and disclosure of PHI and requests for PHI to minimum necessary 3) Provide an accounting of disclosures 4) Enter into agreements with subcontractors that comply with HIPAA Privacy and Security Rules 41 Business Associates All BAs must now: Designate a security official Perform a risk analysis Conduct employee training Create a risk management program Maintain written policies and procedures Document compliance with the statute 42 21

22 Business Associates Agreements Existing Business Associate Agreements (BAAs) may continue to operate for a one year period after the September 23, 2013 compliance date if: 1) Existing BAA currently complies with all prior BAA requirements, and 2) Existing BAA does NOT renew prior to compliance date. 43 Business Associates Pointers Have you identified all BAs? Have you executed/updated business associate agreements (BAA)? Does your BAA identify how quickly the BA should contact the CE in the case of breach? Does your BAA reflect the omnibus changes in liability? If your BA subcontracts, does your BA have an agreement with a subcontractor that complies with BAA provisions? 44 22

23 AGENCY CONCERNS 45 AGENCY CONCERNS Old Rule Exception to liability for civil monetary penalties (CMP) when a HIPAA violation is attributed to a CE. Under this exception, a CE was not responsible for the missteps of BA agents that were unknown to the CE

24 AGENCY CONCERNS New Final Omnibus Rule BOTH CEs and BAs will face potential CMP liability for their agents acts or omissions within the scope of the agency. Existence of agency relationship is determined by a fact specific, totality of the circumstances test. 47 AGENCY CONCERNS Test Factors: 1) Time, place, and purpose of the agent s conduct; 2) Whether the agent is engaged in a course of conduct subject to the principal s control; 3) Whether the agent s conduct is commonly done by an agent to accomplish the service performed on behalf of the principal; 4) Whether or not the principal reasonably expected that an agent would engage in the conduct in question

25 AGENCY CONCERNS Federal Common Law of Agency Under the Final Omnibus Rule: If a BA becomes aware of a breach, and that BA is an agent, knowledge is then imputed to the CE. 49 NEW BREACH NOTIFICATION STANDARD 50 25

26 New Breach Notification Standard Final Omnibus Rule An acquisition, access, use, or disclosure of PHI in a manner not permitted is PRESUMED to be breach unless the CE or BA can demonstrate that there is a low probability that the PHI has been compromised. 51 New Breach Notification Standard Definitions HITECH definition: Breach Acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of PHI Interim definition: Compromise Poses a significant risk of financial, reputational, or other harm. Final Omnibus Rule Does NOT define compromise

27 New Breach Notification Standard So when must the CE or BA notify? 53 New Breach Notification Standard Shift from old subjective harm standard to new objective test of whether PHI has been compromised. New Standard Breach notification is necessary in all situations EXCEPT where the CE or BA demonstrates a low probability that PHI is compromised.* Instead of focusing on harm to the individual, the focus is now on the likelihood that PHI has been improperly accessed or exposed

28 New Breach Notification Standard How do CEs or BAs determine if PHI has been compromised? 55 New Breach Notification Standard Determining probability of compromise requires a risk assessment of at least: 1) Nature and extent of PHI involved 2) Who received/accessed the information 3) Potential that PHI was actually acquired or viewed 4) Extent to which risk to PHI has been mitigated

29 New Breach Notification Standard Popular Types of Large Breaches 1) Theft 2) Unauthorized Access/Disclosure 3) Loss Popular Locations 1) Laptops/portable electronic devices 2) Paper Records 3) Desktop Computers 57 New Breach Notification Standard Example: Theft of an unencrypted laptop computer containing ephi of 441 patients. Provider notified OCR pursuant to 45 C.F.R. Section OCR found: Provider failed to conduct a risk analysis to safeguard ephi AND Provider did not have policies or procedures in place to address mobile device security pursuant to the HIPAA Security rule. Settlement Agreement: Provider pays HHS $50,000 and enters into a corrective action plan. First settlement agreement involving ephi 58 breach affecting less than 500 individuals. 29

30 ELECTRONIC COPY 59 Electronic Copies Individual CE must provide access in electronic form/format requested by individual if readily producible, otherwise in readable electronic form/format as agreed to by CE and individual. Examples: Disc with PDF file Secure with a Word file Access to secure web-based portal Hard copy acceptable if individual declines to accept any of CE s electronic formats

31 Electronic Copies Clarification If EPHI contains a link to images or data, the images or data must be included in the electronic copy. If medical record is mixed media, the CE can provide a combination of electronic and hard copies. CE is not required to use an individual s personal flash if CE has security concerns. If individual requests a copy of its EPHI be sent via unencrypted , the CE may send it, but must advise the individual of the risk that info may be read by a 3 rd party. 61 Electronic Copies Individual s Designee Request must be in writing and must be signed. Clearly identify designee and where record should be sent

32 Electronic Copies Costs: A CE may charge for: Reviewing the request and producing the copy. i.e. compiling, extracting, scanning, and transferring PHI to media. Cost of portable media device, if requested. i.e. CD, USB drive. Postage if mailed. 63 Electronic Copies Costs: A CE may NOT charge for: 1) Costs of new technology; 2) Maintaining systems for electronic PHI, data access, and storage infrastructure; 3) Retrieval fee 64 32

33 Electronic Copies Time Old Rule: CE has 90 days to respond to requests for access. New Final Omnibus Rule: CE has up to 60 days. CE has 30 days to respond + One 30-day extension upon written notice to the individual including: Reason for delay Expected date of completion 65 REQUIRED RESTRICTIONS 66 33

34 Required Restrictions Out of Pocket Payment Patients who pay for treatment out of pocket now have a right to restrict disclosure of PHI to insurance companies/health plans. So long as the disclosure is for purposes of payment or healthcare operations and is not otherwise required by law. A CE no longer has the ability to terminate its agreement to any Required Restriction. 67 Required Restrictions Compliance 1) Medical Records Flag portions of the record that contain PHI subject to the required restriction. 2) Bundled Services Provider should counsel the patient on the ability/inability of provider to unbundle the services and the consequences of doing so. If provider can NOT unbundle, provider should give patient option to restrict and pay out of pocket for entire bundle. 3) Dishonored Payments Make reasonable attempts to resolve payment issues with patient PRIOR to disclosing PHI to health plan

35 Required Restrictions Compliance (cont.) 4) Downstream Providers Individual has obligation to request restriction from downstream providers. Providers are encouraged to assist individual. 5) Follow-up Care Individual must request restriction for follow-up care. 6) Health Maintenance Organizations Contractual requirements for a provider to submit claims to an HMO do NOT exempt the provider from obligations with respect to required restriction. 7) Mandatory Billing Rules A provider may submit PHI to a govt. health plan as required by law, HOWEVER, provider must utilize mechanisms to avoid such legal mandates 69if possible, to comply with a request for RR. Required Restrictions Pointers 1) Develop and administer proper training regarding RR and protecting restricted PHI. 2) Update electronic systems to ensure that health plans are not billed for items or services subject to an RR

36 MARKETING 71 Marketing Modified definition: Marketing now includes any treatment or healthcare operations communications to individuals about health-related products or services, if the CE or its BA receives financial remuneration in exchange for making the communication from or on behalf of the 3 rd party whose product or service is being described

37 Marketing Authorization Authorization is now REQUIRED for any CE or BA receiving financial remuneration from a 3 rd party in exchange for making a communication about a product or service. *Exception for Refill reminders, Information on generic substitutes, or Instructions for taking the drug. In person discussions. 73 Marketing Authorization Must state that the communication is paid for. Must state that the individual may revoke the authorization at any time. Authorization s Scope Need not be limited to single product/service or products/services of one 3 rd party

38 Marketing How does this affect my Notice of Privacy Practices? The Final Rule explains that the NPP does NOT have to include a statement informing individuals that the CE is being paid for certain communications. If the CE is getting paid for sending communications, the CE needs to notify the individual through an authorization. If the CE is not getting paid for the communication, the purposes are adequately captured in the NPP s discussion of treatment and health care operations. 75 Marketing Financial Remuneration for Refill Reminders/Drug Communications Must be reasonable in amount to qualify for exception. Must be reasonably related to the CE s cost of making the communication. E.g. labor, supplies, postage

39 FUNDRAISING 77 Fundraising Old Rule: CEs can use and disclose demographic information relating to the individual and dates of health care provided to the individual for fundraising. Demographic information includes: Names, addresses, other contact information, age, gender, date of birth

40 Fundraising New Rule: CE may now use the following information to target fundraising communications: Demographic information Dates of service Health insurance status Department of service (NEW) e.g. Oncology, cardiology, pediatrics Treating physician (NEW) Outcome information (NEW) e.g. Includes death, or sub-optimal 79 results Fundraising An individual s ability to opt out of fundraising communications must be clear and conspicuous. CE may not condition treatment or payment on individual s decision

41 Fundraising How does this affect my Notice of Privacy Practices? Your NPP must inform individuals that A CE may contact them to raise funds for the CE and An individual has a right to opt out of receiving such communications. 81 SALE OF PHI 82 41

42 Sale of PHI New Final Omnibus Rule prohibits the sale of PHI without authorization. Authorization must state that disclosure will result in remuneration. Includes financial AND non-financial remuneration. 83 Sale of PHI Exceptions to Prohibition on Unauthorized Sale of PHI Public health activities Disclosure required by law Research, if remuneration limited to reasonable, costbased fee to prepare and transmit PHI Treatment & payment Sale of business Remuneration to BA for services rendered Providing access or accounting to individual Any other permitted disclosure where only a reasonable, cost-based fee will be received to prepare and transmit PHI 84 42

43 Sale of PHI Pointers 1) Update Policies and Procedures 2) Train employees on the prohibition of PHI without express written authorization 85 NOTICE OF PRIVACY PRACTICES 86 43

44 Notice of Privacy Practices of the Privacy Rule sets out the requirements for most covered entities to have and distribute a notice of privacy practices (NPP). The NPP must describe: Permitted uses and disclosures of PHI CE s legal duties and privacy practices with respect to PHI, and The individual s rights concerning PHI. 78 FR 17 at Notice of Privacy Practices 1) The NPP must contain a statement indicating that: most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information require authorization, as well as a statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual. 78 FR 17 at CFR (b)(1)(ii)(E)

45 Notice of Privacy Practices 2) The Final Rule treats all subsidized treatment communications as marketing. Therefore, the Final Rule did NOT adopt the proposal to require a statement in the NPP about such communications and the ability of an individual to opt out. 78 FR 17 at CFR Notice of Privacy Practices 2) The Final Rule DID adopt the proposed requirement for a statement in the NPP regarding fundraising communications and an individual s right to opt out of receiving such communications, if a covered entity intends to contact an individual to raise funds for the covered entity. 78 FR 17 at CFR (b)(1)(iii)(A) The final rule does not require covered entities to send pre-solicitation opt outs to individuals prior to the first fundraising communication. The individual will be on notice of the opportunity to opt out of receiving fundraising communications through the notice of privacy practices and the first fundraising communication itself will contain a clear and conspicuous opportunity to opt out, there is no need to require covered entities to incur the additional burden and cost of sending pre-solicitation opt outs. 78 FR 17 at

46 NOTICE OF PRIVACY PRACTICES 2) However: If a covered entity uses a public directory to mail fundraising communications to all residents in a particular geographic service area, the notice and opt out requirements are not applicable. 78 FR 17 at NOTICE OF PRIVACY PRACTICES 3) RIGHT TO RESTRICT DISCLOSURES The Final Rule adopts the proposal that the NPP inform individuals of their new right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or services. Only health care providers are required to include such a statement in the NPP; other covered entities may retain the existing language indicating that a covered entity is not required to agree to a requested restriction FR 17 at

47 NOTICE OF PRIVACY PRACTICES 4) BREACH NOTIFICATION The Final Rule requires CEs to include in their NPP a statement of the right of affected individuals to be notified following a breach of unsecured PHI. A simple statement in the NPP that an individual has a right to or will receive notifications of breach of his or her unsecured PHI will suffice. 78 FR 17 at Notice of Privacy Practices 6) GINA The Final Rule adopts the requirement for health plans that perform underwriting to include in their NPPs a statement that they are prohibited from using or disclosing genetic information for such purposes, except with regard to issuers of long term care policies, which are not subject to the underwriting prohibition. 78 FR 17 at

48 NOTICE OF PRIVACY PRACTICES 7) AVAILABILITY & PUBLICATION The Final Rule retains the requirement that when a health care provider with a direct treatment relationship with an individual revises the NPP, the health care provider must make the NPP available upon request on or after the effective date of the revision and must have the HPP available at the delivery site and post the notice in a clear and prominent location. 78 FR 17 at CFR (c)(2)(iii). 95 NOTICE OF PRIVACY PRACTICES 8) PUBLICATION To the extent that some CEs have already revised their NPPs in response to the enactment of the HITECH Act or State law requirements, as long as a CE s current NPP is consistent with the Final Rule and individuals have been informed of all material revisions made to the NPP, the CE is not required to revise and distribute another NPP upon publication of this Final Rule. The Privacy Rule permits CEs to distribute their NPPs or notices of material changes by , provided the individual has agreed to receive an electronic copy. 78 FR 17 at

49 NOTICE OF PRIVACY PRACTICES 9) Comments A CE may satisfy the NPP provisions by providing the individual with both a short notice that briefly summarizes the individual s rights, as well as other information, and a longer notice, layered beneath the short notice that contains all the elements required by the Rule. The CE must take reasonable steps to ensure meaningful access for Limited English Proficient persons to the services of the covered entity, which could include translating the NPP into frequently encountered languages. Currently, there is no model language. 78 FR 17 at TEXTING Survey: 73% of physicians text physicians about work Is it PHI? Must have a policy BAA with cellular provider? 98 49

50 TEXTING Policy: Lost phone Password or fingerprint Workforce training Vendor-supplied secure messaging ap How to coordinate into the medical record and supply to patients 99 POINTERS Revise Policies and Procedures Include a breach notification response plan using the new presumption of breach standard. Train Employees on Updated Policies and Procedures Document attendance Conduct a Risk Analysis Identify locations of PHI Anticipate threats Assign levels of risk

51 Questions? Thank you for attending! The Bittinger Law Firm Sutton Park Drive South Suite 201 Jacksonville, Florida Ann M. Bittinger, Esq