HIPAA Update Presented by: Melissa M. Zambri June 25, 2014
Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding Genetic Information 7/14/10 - Proposed Regulations Implementing Stimulus Package Rules 1/25/13 - Final Regulations Implementing Stimulus Package Rules Issued (Omnibus Rule) 3/26/13 - Omnibus Rule Becomes Effective 9/23/13 - Omnibus Rule Compliance Date 9/23/14 - Revisions to Business Associate Agreements
Breach Notification Compliance Deadline = September 23, 2013 Interim Rule: Used a significant risk of financial, reputational or other harm to the individual as a standard based on four factors Revised Breach Notification Policy New Standard: Breach presumed, unless low probability that PHI compromised based on: Nature and extent of PHI Person who accessed PHI Whether PHI was actually acquired or viewed Extent to which risk mitigated
OCR Will Know Policies are Not Updated Compliance Deadline = September 23, 2013 Genetic Information: Protected Health Information now includes genetic information not a major change, but requires a change to any definition of PHI. Genetic information cannot be used by health insurers for underwriting purposes. 50+ Years Deceased: PHI does not include information about persons deceased over 50 years. H&B s Position: this would not apply in New York.
Access OCR Will Know Policies are Not Updated The Covered Entity must provide requested copies of an individual's record to a designated person when that individual directs the Covered Entity to transmit a copy to the designated person. The request must be in writing, signed, and clearly identify the designated person and where to send the information. The Covered Entity must respond to requests within 30 days, but can ask for an extra 30 days. Old Regulations: If requested information was not on site, the provider could take 60 days to respond.
Business Associate Agreements Compliance Deadline = September 23, 2014 HIPAA Compliant Before January 25, 2013: Not required to revise current agreements before September 23, 2014 compliance deadline, unless the agreement is modified or renewed prior to then. New OCR language at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ contractprov.html H&B Note: be wary of using only this language.
Business Associate Agreement Revisions New Definition: Creates, receives, maintains or transmits protected health information for certain functions. Does not include disclosures concerning an individual s treatment made by a covered entity to a health care provider. Required Language: To the extent the business associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, [business associate must] comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s).
Business Associate Agreement Revisions OCR Will Know Policies are Not Updated Business associate must comply with Security Rule. Business associate must notify Covered Entity of any breach of unsecured PHI. Business associate must hold subcontractors responsible. Business associate must adhere to Covered Entity privacy rule restrictions. Obligation to report to HHS removed.
Marketing and Sale Compliance Deadline = September 23, 2013 Old Rules: Promotional communication for treatment, case management, etc. is not marketing. New Rules: Communication paid for by third parties is marketing even if it fits into an old exception. Only Exception Refill reminders paid for by a third party for the same drug or generic equivalent is not marketing (payment must reasonably relate to cost of communication). Sale of PHI restricted.
Fundraising Compliance Deadline = September 23, 2013 Old Rules: Permitted use of demographic information, insurance status, and dates of service. New Rules: Permissible information for fundraising use includes all information covered by old rule, general information about the department person was served in (reasonable to think program could be read into this), treating physician, and general outcome information. Recipient must be provided a clear and conspicuous opportunity to opt out of further communication that does not cause undue burden. Treatment or payment cannot be conditioned on agreement to receive communication. Ensure those who opt out do not receive further communications.
Request Restrictions Compliance Deadline = September 23, 2013 Old Rules: Under no circumstances did a Covered Entity have to agree to a restriction. New Rules: Covered Entities must comply with requests restricting PHI disclosures to health plans when requested restrictions pertain to PHI regarding items or services the individual paid for in full without health plan dollars.
Electronic Records Compliance Deadline = September 23, 2013 Must provide individuals electronic copies of their PHI if the PHI is maintained in any electronic designated record set. Reasonable cost based fee that may be charged for production of records: Labor costs Postage and media (when individual requests non-electronic delivery of PHI).
Notice of Privacy Practices Compliance Deadline = September 23, 2013 Changes: Individual authorization required for: Most uses and/or disclosures of psychotherapy notes for marketing purposes and/or the sale of PHI All uses and/or disclosures not in the Notice of Privacy Practices. An individual may opt out of fundraising communications. The Covered Entity is required to comply with a request to restrict disclosures for items and services paid for out of pocket. Affected individuals have a right to be notified of any breach of unsecured PHI.
Notice Distribution As such, 164.520(c)(2)(iv) requires that when a health care provider with a direct treatment relationship with an individual revises the NPP, the health care provider must make the NPP available upon request on or after the effective date of the revision and must comply with the requirements of 164.520(c)(2)(iii) to have the NPP available at the delivery site and to post the notice in a clear and prominent location. In response to several comments expressing concern about printing costs for new NPPs, we clarify that providers are not required to print and hand out a revised NPP to all individuals seeking treatment; providers must post the revised NPP in a clear and prominent location and have copies of the NPP at the delivery site for individuals to request to take with them.
New Monetary Penalties Tiered Increase in Monetary Penalties: Did Not Know & Would Not Have Known with Reasonable Diligence: As low as $100 for each violation, up to $25,000 in a calendar year. Reasonable Cause & No Willful Neglect: As low as $1,000 for each violation, up to $100,000 in a calendar year. Willful Neglect: $10,000 for each violation, up to $250,000 in a calendar year. Where No Correction: As high as $50,000 for each violation, up to $1,500,000 in a calendar year.
Affinity Health Plan: Photocopier Memory HIPAA Developments HIPAA Violation: Affinity Health Plan returned multiple photocopiers to leasing company without erasing confidential medical information contained on copier hard drives. Affinity estimated breach affected up to 344,579 individuals. Affinity filed a breach report with OCR. OCR Investigation Indicated Affinity: Impermissibly disclosed individuals PHI by failing to implement proper policies and procedures when returning the leased photocopiers. Failed to incorporate the electronic protected health information (ephi) stored on photocopier hard drives in its risks and vulnerabilities analysis required by the Security Rule. Penalty: Settled potential HIPAA violations for $1,215,780.
WellPoint: Internet Accessible ephi HIPAA Developments HIPAA Violation: WellPoint on-line application database left individuals electronic protected health information (ephi) accessible to unauthorized users. WellPoint reported breach affected 612,402 individuals OCR Investigation Indicated WellPoint Did Not: Implement required Security Rule administrative and technical safeguards. Implement adequate policies and procedures for authorizing access to the online application database. Perform appropriate technical evaluations when upgrading information systems software. Have technical safeguards maintained in its application database necessary to verify the person or entity seeking access to ephi. Penalty: Paid HHS $1.7 million. H&B Note: HIPAA-covered entities should take caution when implementing changes to information systems, especially when changes involve updating Web-based applications or portals used to provide consumer access to electronic health data.
APDerm, P.C.: Stolen Thumb Drive HIPAA Developments HIPAA Violation: Adult & Pediatric Dermatology, P.C., of Concord, MA, reported to OCR after an unencrypted thumb drive containing electronic protected health information (ephi) was stolen from an APDerm staff member s vehicle. Stolen thumb drive contained the ephi of approximately 2,200 individuals. The thumb drive was never recovered. OCR Investigation Indicated APDerm Did Not: Conduct an accurate or thorough analysis of potential risks and vulnerabilities to the confidentiality of ephi as part of its security management process. Comply with requirements of the Breach Notification Rule requiring written policies and procedures and training workforce members. Penalty: Settled potential HIPAA violations with OCR for $150,000.
Skagit County, Washington: Public Website HIPAA Developments HIPAA Violation: Skagit County inadvertently moved electronic protected health information (ephi), containing infectious disease testing and treatment records for 1581 individuals to a County maintained publicly accessible server. OCR Investigation Indicated: General and widespread non-compliance. Skagit County violated: HIPAA Privacy Rules Security Rules Breach Notification Rules Penalty: Settled potential HIPAA violations for $215,000. Settlement included Skagit County commitment to work closely with HHS to correct HIPAA compliance deficiencies.
Concentra Health Services: Stolen Laptop HIPAA Developments HIPAA Violation: Compliance review of Concentra Health Services (Concentra) after OCR received breach report that an unencrypted laptop was stolen from one of its facilities. OCR Investigation Indicated Concentra: Completed multiple risk analyses that revealed failing to encrypt laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ephi) created a critical risk. Began steps to implement proper encryption, but efforts remained incomplete and inconsistent leaving patient ephi vulnerable throughout the organization. Maintained insufficient security management processes to safeguard patient information. Penalty: Settled potential HIPAA violations with OCR for $1,725,220. Settlement included Concentra agreement to adopt a corrective action plan to remedy non-compliance.
Stolen Laptop: Corrected Too Late HIPAA Developments HIPAA Violation: Unencrypted laptop computer was stolen from a workforce member s car. Laptop contained the ephi of 148 individuals. Following discovery of this breach, Provider encrypted all devices. OCR Investigation Indicated: Provider violated Security Rule despite immediate correction. Penalty: Settled potential HIPAA violations for $250,000. Settlement required Provider to: Provide HHS with an updated risk analysis and corresponding risk management plan including specific security measures to reduce the risks to and vulnerabilities of ephi. Retrain workforce and document ongoing compliance efforts.
NY Presbyterian Hosp. & Columbia Univ. HIPAA Developments NYP & CU: New York Presbyterian Hospital (NYP) and Columbia University (CU) operate a shared data network and shared network firewall administered by employees of both entities. The shared network links to NYP patient information systems containing ephi. HIPAA Violation: NYP and CU filed a joint breach report following the disclosure of ephi including NYP patients status, vital signs, medications, and laboratory results. Breach made publicly accessible the ephi of 6,800 NYP patients. Breach occurred when a CU physician who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ephi. Because of a lack of technical safeguards, deactivation of the server resulted in ephi being accessible on internet search engines. NYP & CU learned of the breach after receiving a complaint when the surviving partner of a former NYP patient found his or her deceased partner s ephi on the internet.
NY Presbyterian Hosp. & Columbia Univ. HIPAA Developments OCR Investigation Indicated: NYP & CU impermissibly disclosed NYP patients ephi on the internet. Neither NYP nor CU made efforts prior to the breach to assure the server security or confirm the server contained appropriate software protections. Neither entity conducted accurate or thorough risk analyses identifying all the systems that access NYP patients ephi. Neither entity developed adequate risk management plans addressing the potential threats and hazards to the security of ephi. NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management. Penalty: NYP settled potential HIPAA violations with OCR for $3,300,000. CU settled potential HIPAA violations with OCR for $1,500,000. Both entities agreed to a substantive corrective action plan, including undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.
Most Common Calls Lost laptop, etc. Items stolen from car. Employee or ex-employee divulging information to those outside provider. Curiosity looks. Misfired e-mail or wrong mail. No shredding or incinerating. Encryption debate.
What To Do Now Consider an internal audit. Security risk audit tool released March 2014. Document internal audit results and efforts towards compliance. Coordinate privacy and security staff, policies and procedures. Remember: If OCR investigates, they will ask what steps were taken. Do the easy stuff and document what you do.
Thank you for your time. Questions? Melissa M. Zambri Hiscock & Barclay, LLP 80 State Street Albany, New York 12207 (518) 429-4229 (Phone) / (518) 427-3463 (Fax) mzambri@hblaw.com