Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually identifiable health information April 14, 2003 compliance date Applies to Covered Entities Health plans Health care clearinghouses Health care providers that transmit health information electronically
Privacy Rule vs. Security Rule The Security rule applies only to PHI that is transmitted or maintained electronically. The Privacy Rule applies to PHI that is transmitted electronically, verbally, or in written form. The deadline for compliance: Privacy Rule: April 14, 2003 Security Rule: April 21, 2005
Allowed Disclosures Covered entities are permitted to disclose PHI without Authorizations for the purposes of: Treatment: management of healthcare Payment: reimbursement and benefits Healthcare Operations: medical reviews, contracts, compliance, business planning, financial, and legal activities (45 CFR 164.501)
States and HIPAA HIPAA is a federal floor for patient protections and industry standards, the states maintain the ability to enforce laws which exceed those federal boundaries. HIPAA requires the states to self-determine: Which agencies meet the federal definition of a covered entity Whether those entities are governed by state law, HIPAA, or other federal privacy laws.
Business Associates Covered Entities (health care providers, health insurance companies, etc.) hire law firms, accounting firms, shred companies, litigation support companies, and many other types of businesses whose job involves accessing PHI. Those businesses are then called Business Associates. In 2009, those Business Associates were required to adhere to stricter regulations and law firms became the Covered Entities when they represented health care entities.
New 2009 Regulations Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 and affects Privacy: Covered entities and their business associates will have to notify individuals and HHS of any security breach sometimes the media will need to be notified as well.» Vendors of personal health records and other non-hipaa covered entities will have to report security breaches (Sec. 13407 of HITECH)» Determination of unsecured will be made by HHS and Federal Trade Commission for notification purposes» Encryption of electronic information and destruction of PHI will render it unusable, unreadable, or indecipherable to unauthorized individuals and will relieve the covered entity of the need to notify individuals in case of a breach
Attorneys Representing Covered Entities Attorneys are responsible for ensuring that others hired to assist in providing legal services to the covered entity will also safeguard the privacy of the PHI. Includes joint counsel, jury experts, investigators, litigation support, etc. ** not responsible for opposing counsel even if PHI was disclosed to them because they are not assisting in representing the covered entity. (45 CFR 164.504(e))
Attorneys Representing Covered Entities, cont. Business Associate Agreements are signed to provide that the attorney will ensure that the minimum necessary standard of disclosures of PHI are consistent with those of the covered entity s. Law Firms must now have all subcontractors sign Business Associate Agreements when representing Covered Entities. The law firm becomes the covered entity when drafting business associate agreements with subcontractors
HIPAA & HITECH Requirements Law Firms as well as their Subcontractors and Business Associates (when representing Covered Entities) must now comply with the Administrative, Technical and Physical Safeguards required by the Security Rule.
Administrative Safeguards Risk Analysis and Risk Management: assess potential risks to the confidentiality, integrity and availability of electronic PHI. Sanction Policy: against workforce members who fail to comply with security procedures. Security Awareness Training, Incident Response & Reporting, Workforce Clearance, Termination Procedures and Access Authorization must all be addressed. Contingency Plans, Data Backup Plan, Disaster Recovery Plans and Emergency Mode Operation Plans are required to protect electronic PHI from vandalism, natural disasters and other security incidents. (45 CFR 164.308(a))
Technical Safeguards Security standards to protect electronic PHI Electronic Access Integrity and Control: Unique user I.D. with time-outs and automatic log-off Person or entity authentication Emergency access procedures Audit controls to monitor activity on I.T. systems containing PHI Transmission security must include encryption and decryption
Physical Safeguards Facility Access Controls: Safeguard the facility and any equipment or I.T. systems with electronic PHI. Includes validation of people s access and visitor control. Workstation Use and Security: Physical safeguards for all workstations that access electronic PHI and restrict unauthorized users. Device and Media Controls: Safeguarding the receipt and removal of hardware and electronic media in and out of the facility Disposal of electronic PHI and hardware containing PHI ( cleaning ) Removal of PHI before electronic media is available for re-use (copiers, facsimile machines, etc.) Retrievable data backup and storage BEFORE movement of equipment (45 CFR 164.310)
2013 Omnibus Rule Expanded responsibilities of Business Associates Further. Business associates are required to develop comprehensive written HIPAA policies, procedures and agreements with covered entities and subcontractors specifying the provisions required by the HIPAA Privacy and Security Rules. New business associate agreements must comply with the Omnibus Rule by September 23, 2013. If a business associate agreement complied with the pre-omnibus rule, parties have 1 additional year, or until September 22, 2014, to bring their agreements into compliance.
Omnibus Rule Cont. The Omnibus Rule changed the breach standard from a "significant risk of harm" to a "probability that data was compromised" standard The criteria to assess whether a breach occurred is as follows: a) The nature and extent of PHI (including identifiers and the likelihood of re-identification of the individual) b) The identity of the unauthorized person who used the PHI or to whom disclosure was made; c) Whether PHI was actually acquired or viewed (can be determined through a forensic analysis); and d) The extent to which the risk to PHI has been mitigated.
Enforcement The Department of Health and Human Services (HHS) established rules for investigating, prosecuting, and imposing penalties for HIPAA Privacy Rule violations. NEW RULE: (as of December 29, 2009) Tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision Criminal violations fined up to $250,000 and up to ten years in prison (enforced by the Department of Justice) HHS hired auditing firms to randomly audit covered entities and business associates for compliance and will be conducting more audits in 2013 and 2014 with the new Omnibus Rule
Important HITECH Information State attorneys general now can bring civil actions and recover attorneys fees from covered entities. Business associates now can be fined by the government the same way covered entities can. Physical, Technical and Administrative Safeguards are now required and involve all aspects of law practices including: law firms software systems (data backup, encryption, firewalls, passwords, etc.), PDAs, office access and security, employee training, storage and destruction of PHI, etc..
Additional HIPAA and HITECH Information Office of Civil Rights HIPAA website: http://www.hhs.gov/ocr/privacy/ Health and Human Services HITECH website: http://healthit.hhs.gov/portal/server.pt U.S. Legal Support HIPAA page: http://www.uslegalsupport.com/recordretrieval/hipaa/