HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013

Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com 816-308-4539 Julia M. Vander Weele, JD Partner Spencer Fane Britt & Browne jvanderweele@spencerfane.com 816-292-8182

Introduction Meeting the Increased Requirements of Benefit Compliance Documentation and Records HIPAA Privacy Final Regulations Confidentiality and HIPAA Privacy Requirements Miller as a Committed Partner

Miller Group and Confidentiality Need for Security and Confidentiality HIPAA Privacy Requirements for Clients HIPAA Privacy Requirements for Miller Group Business Associate Agreements (BA or BAA) Miller Privacy Official, James Clay

Miller Group and Business Associate Agreements (BA or BAA) Insurance Carriers Plan Sponsor? Self Insured Plans Insured Plans Self Insured TPA s/vendors Downstream BAs (IT) Individuals Other Service Providers (COBRA)

Evolution of HIPAA Privacy and Security Rules Health Insurance Portability and Accountability Act ( HIPAA )(1996) Privacy Rule: April 14, 2003 Applicable to all protected health information Security Rule: April 20, 2005 Specific to electronic PHI HITECH Act: February 17, 2010 Final Rule: January 25, 2013

Covered Entities Health care providers (who conduct electronic transactions) Health plans Health care clearinghouses Not employers Relationship to healthplan Not Business Associates, BUT under HITECH: Indirect liability under Privacy Rule (for breach of business associate agreement) Direct liability under Security Rule

What s a Health Plan? Medical, Dental, Vision, Health Care Flexible Spending Accounts Maybe Employee Assistance Programs Not Workers Compensation, Long-term Disability, Life Insurance, or On-site Medical Clinics Not employer functions such as FMLA, drug testing, sick leave, return to work physicals, ADA, OSHA, fitness for duty However, employer may need authorization to obtain records from provider

What s Protected Health Information? Protected Health Information ( PHI ) = individually identifiable health information relating to past, present or future health or payment for health care Includes not only claims information, but name, address, premiums, coverage amounts, etc. Does not include employment records held in the capacity of employer Privacy protections apply to PHI for 50 years after the death of an individual

Primary Privacy Standards Do not use or disclose PHI, unless an exception applies Disclose or request only the minimum required amount of information Establish safeguards to prevent and minimize incidental disclosures Obtain assurances from business associates of their compliance and assistance

Permitted Uses and Disclosures To the Individual or Personal Representative To a Person Involved in the Individual s Care For Treatment, Payment or Health Care Operations For Public Responsibility purposes Otherwise, need an Authorization

Safeguards Must be reasonably designed to minimize incidental disclosures People Access to PHI limited to those who have need for information in connection with job duties performed for benefit plans Do not disclose PHI to other employees that do not have duties that require access to PHI Paper Don t leave in plain view Sealed envelopes Promptly remove printed material from printers

Fax Designated fax machines Distribute promptly Disclaimer Phone Verify identity and authority No speakerphones/low voices Storage Lock, put away, or cover Destruction Shred Safeguards

Notice of Privacy Practices Individual Rights Request additional restrictions Receive information by alternative means or at alternative locations ( confidential communications ) Obtain access to information Correct erroneous information Obtain accounting of prior disclosures

Administrative Requirements Privacy Officer Train workforce on privacy and security issues (new hires and periodic refreshers) Establish complaint process With Department of Health and Human Services No retaliation Apply sanctions for violations Mitigate harmful effects of violations And potentially notify affected individuals if breach of unsecured PHI (see next slide) Document Retention (6 years)

Disclosures to Employer Summary health information okay (for purposes of renewal) Enrollment information (for purposes of payroll deduction) To disclose any other PHI to employer, plan documents must contain specific privacy protections (firewalls) Employer may not use PHI to make employment-related decisions or for other benefit plans

Self-Funded vs. Fully-Insured Self-Funded Plans Full set of Privacy Rule requirements apply Insured Plans Hands-on = Plan Sponsor receives PHI in addition to summary health information and participation information Must maintain a Privacy Notice and provide it upon request Hands-off = Plan Sponsor does not receive PHI other than summary health information and participation information No Privacy Notice No Administrative Requirements except retaliation and waiver NO exemption from Security Rule requirements

Summary of Changes in Final Rule Notification of breach standard Business associates and subcontractors Notice of privacy practices Individual rights right to access Civil monetary penalties and enforcement

Effective Dates General effective date for most provisions is September 23, 2013 One-year transition rule for business associate agreements (to earlier of contract renewal/modification or September 22, 2014) Only if in existence before January 25, 2013, AND Agreement complied with HIPAA rules in effect on that date, AND Contract not modified or renewed between March 26, 2013 and September 23, 2013

Notification of Breach New requirement as part of HITECH Applies to unsecured PHI that is accessed, acquired, or disclosed by or to an unauthorized person as a result of a breach Must notify affected individuals and the Department of HHS in the event of breach

Definition of Breach Old Standard: Significant risk of financial, reputational, or other harm to the individual New Standard: Presumption of breach unless risk assessment demonstrates low probability that PHI has been compromised Four-factor risk assessment must be documented Burden shifted to covered entity or business associate to show that notice not required

Breach Notification Risk Assessment Nature and extent of PHI involved Identity of the unauthorized user or recipient Whether the PHI was actually acquired or viewed Extent to which the risk to PHI has been mitigated

Business Associates Business Associate Definition: Old Definition: Person or organization who performs functions/activities on behalf of, or provides services to, a covered entity which involve creation, use or disclosure of individually identifiable health information New Definition: Person or organization who creates, receives, maintains, or transmits PHI on behalf of covered entity Broader definition; even if not required to access PHI to perform services, BA relationship exists if persistent ability to access PHI (e.g. data storage providers)

Business Associates Liability of Business Associates prior to HITECH No direct application of HIPAA privacy or security rules so no civil or criminal penalties could be assessed on BAs Potential liability to covered entity (if BA agreement included indemnification) but generally covered entity s only recourse is right to terminate agreement upon BA s breach and failure to cure Covered entity not liable for acts of BA if no knowledge of violations or, it took reasonable steps to end the violations

Business Associates Business Associates under HITECH: Now directly subject to the HIPAA Security Rules in the same manner as covered entities Also subject to civil and criminal penalties for failure to adhere to the Privacy provisions in the Business Associate agreement New: Covered entity is liable for acts of BA if BA is acting as agent of covered entity

Business Associate Agreements May need to amend existing business associate agreements to reflect: Direct liability for Security Rule compliance Breach notification requirements Contractual obligations with respect to subcontractors Obligation to comply with Privacy Rule provisions in the agreement Sample provisions available on HHS website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/cov eredentities/contractprov.html

Subcontractors Subject to the same requirements as business associates if they create, receive, maintain, or transmit PHI on behalf of a BA Subcontractor = a person to whom a BA delegates a function, activity, or service Must have BA agreement Same duties as covered entity with respect to monitoring Reasonable steps to cure or end violation New: requirement to notify HHS removed

Notice of Privacy Practices Health plans must update the privacy notice to include: Statement that must obtain authorization to use or disclose psychotherapy notes, to use PHI for marketing purposes, or to sell PHI Statement that will not use or disclose PHI for any purpose not described in the notice Statement that the plan is prohibited from using PHI that is genetic information for underwriting purposes (if PHI used for underwriting purposes) Right to receive a notice when there is a breach of unsecured PHI Right to receive an electronic copy of PHI

Notice of Privacy Practices Delivery and Timing Changes considered material so must be provided within 60 days of change (September 23, 2013) If plan has its own website: Post material change or revised notice on website by September 23, 2013, and Provide revised notice, or information about the material change and how to obtain the revised notice, in next annual mailing (e.g., open enrollment)

Individual Rights - Access Maintained in designated record set CE must provide access in the electronic form and format requested (if readily producible) If not readily producible, in machine readable format (e.g., MS Word, Excel, text, HTML, PDF) Provide within 30 days (Additional 30-day extension permitted)

Standards Administrative Physical Security Rule Technical Implementation Specifications Required Addressable

Administrative Safeguards Security Management Process Risk Analysis (A) Risk Management (R) Sanctions (R) Information System Activity Review (sign-on/sign-off activity; unsuccessful logon attempts) (R) Security Officer (R) Workforce Security Authorization and/or Supervision (A) Workforce Clearance Procedures (background checks) (A) Termination Procedures (disable user id and password) (A) Information Access Management Access Authorization (controlled by user id and password) (A) Access Establishment and Modification (A)

Security Rule Safeguards Security Awareness and Training Security Reminders (training) (A) Protection from Malicious Software (anti-viral software/firewall) (A) Log-in Monitoring (report suspicious activity) (A) Password Management (change periodically?) (A) Security Incident Procedures (Response and Reporting) (R) Contingency Plans Data Backup (nightly? weekly?) (R) Disaster Recovery (R) Emergency Mode Operation (R) Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) Evaluation

Physical Safeguards Facility Access Contingency Operations (A) Facility Security Plan (badge readers, alarm system) (A) Access Control and Validation Procedures (escort visitors) (A) Maintenance Records (A) Workstation Use (automatic screensavers) Workstation Security (shut down procedures) Also applies to remote workstations Device and Media Controls Disposal (delete or purge PHI first) (R) Media Re-use (delete or purge PHI first) (R) Accountability (A) Data Backup and Storage (A)

Technical Safeguards Access Controls Unique User Identification (do not share user id or passwords) (R) Emergency Access Procedure (R) Automatic Logoff (mandatory screensavers and shut down procedures) (A) Encryption and decryption (alternative: passwords for Blackberrys and laptops) (A) Audit Controls Data Integrity Person or Entity Authentication Transmission Security Integrity Controls (A) Encryption and decryption (for e-mails or file transfers containing PHI) (A)

Civil Monetary Penalties Final rule adopts the higher penalties for violations as proposed under HITECH: Penalty for violations where covered entity did not know and would not have known through exercise of reasonable diligence is at least $100 per violation (maximum of $50,000) Penalty for violations due to reasonable cause is at least $1,000 per violation (maximum of $50,000) Violations due to willful neglect are subject to penalty of $10,000- $50,000 per violation (if corrected) and $50,000 per violation (if not corrected) Maximum penalty for single count violations is $1.5 million, potentially much higher penalties for multiple count violations E.g., security breach may constitute both impermissible use/disclosure and violation of requirement to institute appropriate safeguards (up to $3 million) Correction of violation within 30 days may reduce or eliminate penalty if violation not due to willful neglect

Enforcement Business associates subject to penalties for violation of provisions directly applicable to BAs New: HHSmust investigate complaint or conduct compliance review whenever a preliminary review indicates possible violation due to willful neglect CEs and BAs liable for acts of agents even if no business associate agreement

Enforcement February 22, 2011, HHS imposed a $4.3M penalty against Cignet Health of Prince George s County, Maryland Cignet failed to respond to patients requests for access to medical records Cignet failed/refused to cooperate in HHS s investigation

Enforcement Two days later, Massachusetts General Hospital entered into $1M settlement with HHS Employee left paper records containing the PHI of 192 patients, including patients with HIV/AIDS, on the subway Hospital did not admit liability and did not pay a penalty

Enforcement January 2013 First HIPAA breach settlement involving less than 500 patients Hospice of North Idaho (HONI) agreed to pay HHS$50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Investigation followed a breach report submitted by HONIreporting the theft of a laptop computer containing the electronic PHI of 441 patients. HHS concluded that HONI had not conducted a risk analysis to safeguard e-phi and did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.

Next Steps Review and update notice of privacy practices Review and update privacy and security policies and procedures Review and amend business associate agreements if necessary Provide updated training to workforce

What Else? HHS required to annually evaluate suitable security protections, develop plans to improve compliance, and conduct periodic audits Plan sponsors should conduct periodic privacy and security reviews to keep up with HHS guidance Revise policies/procedures as technology improves and becomes more affordable

Miller Group Activities Complete Security and IT Audit from Outside Party Review of Upstream and Downstream Business Associate Agreements Assignments of New Privacy Officer and Security Officer New Revised Business Associate Agreements Training for Associates Update Training for Clients

Questions?

Contact Information James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com 816-308-4539 Julia M. Vander Weele, JD Partner Spencer Fane Britt & Browne jvanderweele@spencerfane.com 816-292-8182 www.benefitsinbrief.com