HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California
JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience as an attorney in California with planning and compliance with emphasis on private medicine, healthcare/data management start-up enterprises, and healthcare business planning. Graduated from the University of California at Davis School of Law in 1987. Professional Memberships: San Diego County Bar Association Law & Medicine Section, Attorney-Client Relations Committee, American Academy of Private Physicians corporate secretary and chair of the legal compliance and advocacy committee.
SO, WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
WHY SHOULD I CARE? You might now be HIPAA regulated just like a physician s office regarding HIPAA What the!@#$%^&*????????? This is doable if you understand HIPAA
FIRST, KEY TERMS PHI = Protected health information Unsecured = PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons Encryption and destruction Breach Acquisition, access, use or disclosure of PHI PHI security or privacy is compromised
WHAT ARE BASIC HIPAA RULES? The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) establishes national standards for the protection of certain health information. The Security Rule (Security Standards for the Protection of Electronic Protected Health Information) establishes national security standards for efforts to protect certain health information held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and nontechnical safeguards that organizations called covered entities must put in place to secure individuals electronic protected health information (ephi). The Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
WHY HAVE A SECURITY RULE? Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information. 50 states = 50 sets of privacy laws New technologies evolving. Security Rule protects privacy while allowing covered entities to adopt new technologies. Security Rule designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies appropriate for the entity s particular size, organizational structure, and risks to consumer ephi.
HOW TO COMPLY WITH THE SECURITY RULE Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ephi. Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all ephi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce. Documented in a Risk Assessment Memo.
SECURITY RULE: CONFIDENTIALITY AND FLEXIBILITY The Security Rule defines confidentiality to mean that ephi is not available or disclosed to unauthorized persons: integrity to mean that ephi is not altered or destroyed in an unauthorized manner; availability to mean that ephi is accessible and usable on demand by an authorized person. Covered entities range in size. The Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments.
SO, WHAT SECURITY MEASURES SHOULD BE IMPLEMENTED? Security Rule does not dictate specific measures, but requires the covered entity to consider: Size, complexity, and capabilities, Technical, hardware, and software infrastructure, Costs of security measures, and Likelihood and possible impact of potential risks to ephi. Covered entities must review and modify their security measures to continue protecting ephi in a changing environment.
WHAT IS THE OMNIBUS/FINAL RULE (OR, WHY DO I NEED TO KNOW ABOUT HIPAA?) Covered entities need to review documentation including business associate agreements, notice of privacy practices, and their policies and procedures to ensure compliance with the Final Rule. BAA that complies with pre-omnibus rule Update BAA by September 23, 2014 BAA that does not comply with pre-omnibus rule Have an Omnibus-compliant BAA in place by September 23, 2013
BEFORE AND AFTER OMNIBUS RULE Before Business Associates ( BA ) contractually regulated through a Business Associate Agreement (BAA) After BAs and subcontractors are now Covered Entities ( CE ) and regulated directly under HIPAA BAs = CEs, must comply with HIPAA and regulated
EXPANDED DEFINITION OF CE CE: On behalf of a covered entity (CE), creates, receives, maintains or transmits PHI Subcontractor of a BA Role + responsibilities of BA = CE BA requirements/exposure not defined simply because it is a party to a BAA
FINAL RULE EXPANDED DEFINITION OF BUSINESS ASSOCIATES & COVERED ENTITIES Patient Safety Organizations Health information exchange organizations E-prescribing gateways CE personal health record vendors Data transmission providers that require access to PHI on a routine basis AND: Any person or entity with ephi!!!
NOT A BA/CE? Those who simply provide transmission services Digital couriers or mere conduits But if you have personalized ephi, even if you don t view it, you are a BA/CE!!!
SUBCONTRACTORS? Contract between the CE s BA and the BA s subcontractor must satisfy the BA requirements Subcontractor of a subcontractor of a subcontractor of a subcontractor ALL BAs HIPAA/HITECH obligations apply to subcontractors
WHEN DO BAs/CEs HAVE TO COMPLY? If using BAA that complies with pre-omnibus rule Update BAA by September 23, 2014 If using BAA that does not comply with pre- Omnibus rule Have an Omnibus-compliant BAA in place by September 23, 2013
WHAT SHOULD YOU DO IF A BA/CE? Confirm whether you are a CE/BA Review all existing BAAs Evaluate relationships/agreements that require BAAs Create HIPAA compliance documents Notice of Privacy Practices (NPP) Business Associate Agreement (BAA) Risk Assessment/Security Rule
BREACHES AND SECURITY
PRESUMPTION OF BREACH Interim Final Rule Risk assessment to determine if unauthorized PHI access, use or disclosure caused harm No presumption of a breach Final Rule Unauthorized access, use or disclosure presumed to be a breach unless CE determines low probability PHI was compromised
POTENTIAL BREACH EVALUATION CE must evaluate Nature and extent of PHI Unauthorized person who used PHI Whom disclosure was made PHI actually viewed or acquired How risk was mitigated DOCUMENT, DOCUMENT, DOCUMENT AND THEN DOCUMENT SOME MORE
BREACH NOTIFICATION BA/CE must provide notice of breach To CE (if applicable) Breach treated as discovered as of 1 st day when known or would have been known When by exercising reasonable diligence would have breach been known? Subcontractor BA gives notice to BA
ACCESS AND RESTRICTIONS
ACCESS TO THIRD PARTIES Individual can request CE to send PHI to another individual/entity In writing Electronic OK but verification needed Identify who/what is the PHI receiver PHI must still be protected when sent to third parties Third parties receiving PHI BA & CE!
CALIFORNIA: NEW DATA PRIVACY LAWS BEYOND HIPAA DO NOT ASSUME ALL PRIVACY LAWS ARE FEDERAL!
http://www.paulhastings.com/resources/upload/publications/stay-current- California-Privacy-Law.pdf A Do Not Track Law, which requires commercial websites and online service providers to disclose how they respond to do not track signals from Internet browsers; An Eraser law, which provides web users under the age of 18 with the right to delete or remove content they have posted online and which contains advertising prohibitions restricting the marketing and advertising of products not legally available to minors (such as alcohol and firearms) on sites directed to minors ; Expanded data breach notification requirements, which add user names and email addresses to the definition of personal information ; A revenge porn law which makes the photographer s publishing of pornographic material without the subject s consent and with the intent to cause serious emotional distress a misdemeanor; An expanded Confidentiality of Medical Information Act ( CMIA ), which now covers any business that offers software or hardware to California consumers, including mobile applications or other related devices; and A Privacy of Consumer Electrical or Natural Gas Usage Data law which prohibits businesses from sharing with a third party a customer s electrical or natural gas usage data without first obtaining the customer s express consent.
THANK YOU James J. Eischen, Jr., Esq. Office: (619) 819-9655 Email: Eischenj@higgslaw.com Skype: jeischenjr http://www.assessmentandplan.com http://www.higgslaw.com