HIPAA Omnibus Rule Please note: these slides are intended to provide an overview of general information, not an exhaustive review. No legal advice is being offered or intended. Do not rely on this information for individual or specific situations; instead, seek advice from retained counsel.
HIPAA/HITECH Omnibus Final Rule - January 23, 2013 Requirements effective March 26, 2013 Compliance with most of the final rule provisions is required by September 22, 2013 Existing Business Associate Agreements must be in full compliance by September 22, 2014 (if not previously renewed or modified)
Final Rule: Summary of Modifications Extends responsibility for HIPAA/HITECH privacy compliance related to Protected Health Information (PHI) to business associates Outlines new breach notification requirements Creates new penalties for unsecured breaches
Final Rule: Summary of Modifications (Continued) Limits disclosures to health plans Limits marketing communications Clarifies prohibition on sale of PHI Allows immunization disclosures Allows disclosures to family members of deceased persons
Final Rule: Summary of Modifications (Continued) Regulates record copies and transmittal of electronic PHI Permits combined conditioned and unconditioned research authorizations
Business Associate (BA) Changes/Clarifications Modifies definition of business associate to include: a person who maintains PHI; a person who undertakes patient safety activities (PSO); a Health Information Organization, E-prescribing Gateway, or other person who provides data transmission services of PHI to a covered entity and requires routine access to PHI; a person who offers a personal health record to one or more individuals on behalf of a covered entity; and a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate Subcontractor means: a person to whom a business associate delegates a function, activity, or service other than in the capacity of a member of the workforce of such business associate
Deceased Individuals The definition of PHI at 160.103 has been modified to no longer protect individually identifiable health information of a person deceased for more than 50 years (not a record retention requirement) Covered entities may disclose a decedent s PHI to family and others involved in care of or payment of care for the decedent prior to death, relevant to that person s involvement, unless inconsistent with the individual s known preferences as expressed prior to death (Note: does not permit unlimited disclosures of PHI, and combined with state laws governing records of the deceased, the situation may be complicated)
Student Immunization Records A covered entity is permitted to disclose proof of immunization to a school when State or other law requires that information for admission Agreement, which can be oral, is still required and must be documented (email request, notation of phone call, etc.)
New Marketing Rules Marketing is a communication about a product or service that encourages its purchase or use Authorization is required for all marketing communications, including those for treatment or healthcare operations, where the marketing entity receives direct or indirect financial remuneration from the marketed entity
New Marketing Rules Previous exceptions not modified: Face-to-face communication Promotional gift of nominal value (i.e., pamphlet) Refill exception: Refill reminders or communications regarding current prescriptions, as long as remuneration is reasonably related to cost of making communication (i.e., labor, supplies and postage, no profit) Not intended to be covered: General health promotion Communications regarding government and government-sponsored programs
Business Associates Direct Liability Use or disclosures of PHI not in accord with BA agreement or Privacy Rule Failing to disclose PHI when required by the Secretary of the U.S. Department of Health and Human Services (HHS) Failing to disclose PHI to covered entity, individual, or designee as necessary with respect to an individual s request for an electronic copy of his/her PHI Failing to make reasonable effort to ensure PHI is concise and accurate Failing to enter into compliant BA agreements with subcontractors BA failing to act when aware of fellow BA s subcontractor s non-compliance
Uses and Disclosures: Sales of PHI Must have written authorization for sale of PHI, including: Receipt of in-kind benefits in addition to financial benefits Need authorization in connection with research if price charged exceeds cost of preparation and transmittal of data (does not include grants for a research study)
Uses and Disclosures: Sales of PHI (Continued) Authorization not required for: Public health activities Disclosures for payment or treatment Disclosures to individuals or designees requesting own information, for a reasonable fee (includes labor costs and costs of supplies, e.g., portable media, if state law not more restrictive) Transfer, merger, or consolidation of a covered entity related to due diligence Remuneration between a covered entity and BA or BA and subcontractor for services provided
Research Authorizations May combine conditioned and unconditioned authorizations for research if the authorization differentiates between conditioned and unconditioned research activity and allows the person the ability to opt in to the unconditioned research activity Authorization no longer required to be study specific, in that they can be for future research, if purposes adequately described so that the individual would reasonably expect that their PHI could be used or disclosed for future research
Restrictions on Use and Disclosure Must comply with an individual s request that a covered entity not disclose PHI to a health plan for payment or healthcare operations if the PHI pertains solely to a healthcare item or service that was paid for in full by the individual (or someone other than the health plan) Exceptions: when disclosure is required by law
Individual s Access to Protected Health Information If an individual requests an electronic copy of PHI that is maintained electronically, they must be provided a copy in the electronic form and format requested, if readily producible If not readily producible, produce in form and format mutually agreed to If individual declines all offered and readily producible electronic formats, must provide hard copy Must consider security of transmission, but may provide by unencrypted email if individual advised of risk and prefers that method
Individual s Access to Protected Health Information (Continued) If requested by the individual, the covered entity must transmit PHI directly to the designated person Requests must be in writing, signed, and clearly identify recipient and address/location Must have reasonable policies and procedures to verify identity of the requestor and reasonable safeguards to protect the information (e.g., procedures to ensure correct email address entered) If access approved, access or copy must be provided within 30 days There is a one-time extension of 30 days (with written notice of reasons for delay and expected date request will be completed)
Notice of Privacy Practices Must indicate that authorization is required for: Most uses and disclosures of psychotherapy notes (for entities that record or maintain such notes) Uses and disclosures of PHI for marketing Disclosures that constitute a sale of PHI Other uses and disclosures not described in the Notice
Notice of Privacy Practices (Continued) Must include a statement regarding fundraising communications and right to opt out of same (if intend to contact an individual to raise funds) Healthcare providers must inform patients of right to restrict certain disclosures of PHI to a health plan when they pay out of pocket in full for the healthcare item or service Must include a simple statement of the right to be notified of a breach of unsecured PHI
Notice of Privacy Practices (Continued) Must post revised Notice in clear and prominent location within office or facility Provide copy to new patients and whenever requested Post on website
Preemption of State Law HIPAA requirements supersede contrary provisions of state law HIPAA does not preempt state law when state law provides more stringent privacy protections (e.g., HB 300)
Enforcement Rule Amendments Business Associate is added to the following Enforcement Rule provisions: 160.300; 160.304; 160.306 (a) and (c); 160.308; 160.310; 160.312; 160.316; 160.401; 160.402; 160.404(b); 160.406; 160.408(c) and (d); and 160.410(a) and (c) These sections were modified in order to impose direct civil money penalty liability on business associates (which now includes subcontractors) for violations of certain provisions Business associates are required to have policies and procedures regarding privacy and security in handling PHI Business associates are subject to complaint investigations and compliance reviews by the HHS Business associates must get business associate agreements with subcontractors who fall within the BA definition
Enforcement Rule Amendments (Continued) If a complaint, after a preliminary investigation of the facts, indicates a possible violation due to willful neglect, the Secretary will investigate. The Secretary has the discretion to investigate other complaints. The Secretary will conduct compliance reviews when a preliminary review of the facts indicates a possible violation due to willful neglect. Absent possibility of willful neglect, compliance reviews are discretionary The Secretary must impose a civil money penalty for willful neglect, but may seek resolution of other complaints and compliance reviews by informal means. If circumstances indicate willful neglect, the Secretary may proceed to formal enforcement without seeking to correct noncompliance through voluntary corrective action.
HIPAA Security Rule Applies to Business Associates The definition of business associate has been modified with additions Section 164.308 requires administrative safeguards, including that BAs must obtain required assurances from subcontractor Section 164.310 requires physical safeguards Section 164.312 requires technical safeguards Section 164.314 requires organizational requirements, including agreements between BA and subcontractors Section 164.316 policies, procedures, and documentation requirements
Breach Notification Provisions Breach acquisition, access, use or disclosure of PHI in a non-permitted manner that compromises the security or privacy of the PHI Exceptions: Unintentional acquisition, access or use by employee or other acting with authority, if in good faith and within course and scope of employment or professional relationship, and was not further acquired, accessed, used or disclosed Inadvertent disclosure between an authorized person to another at the same facility, and information was not further acquired, accessed, used or disclosed Unauthorized disclosures in which the unauthorized person would not have reasonably been able to retain the information
Breach Notification Provisions (Continued) An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is a low probability that the [PHI] has been compromised based on a risk assessment.... A risk assessment must include the following factors: Nature and extent of PHI involved The unauthorized person who used or to whom the information was disclosed Whether the PHI was actually acquired or viewed Risk mitigation
Breach Notification Provisions (Continued) Burden of proof is on the covered entity or business associate to demonstrate a low probability the PHI has been compromised Must maintain documentation sufficient to meet that burden of proof Safe Harbor: if PHI is encrypted pursuant to 74 FR 42740 and 42742, no breach notification is required after an impermissible use or disclosure
Breach Notification Provisions (Continued) Business Associates must notify covered entities without delay and always within 60 days following discovery of a breach Discovered means the first day the breach is known or, by exercising reasonable diligence, would have been known to either BA or covered entity The business associate is deemed to have knowledge if the breach is known or by exercising reasonable diligence, would have been known to any employee, officer or other agent, other than the person committing the breach
Breach Notification Provisions (Continued) The primary responsibility to notify the affected individual continues to remain with the covered entity (not the business associate) Covered entity must notify affected individuals without unreasonable delay always within 60 days of discovery of breach (with law enforcement exceptions)
Breach Notification Provisions (Continued) The Notice must include, to the extent possible: Brief description of what happened (including date of breach and date of discovery, if known) Types of PHI involved Steps individuals should take to protect themselves from potential harm Brief description of actions being taken to investigate breach, mitigate harm, and to protect against further breaches Contact procedures for questions or information Note potential for Civil Rights Act and ADA requirements
Methods of Notification to Individuals Send written notice to individual s last known address or email him/her if specified as preferred method In case of insufficient or out-of-date contact information, a substitute notice is required In case of insufficient information for ten or more individuals, must make conspicuous posting on website or notice in major print or broadcast media, providing toll-free number If urgent, may also contact by telephone Send minor-notice to parent or personal representative Send deceased-notice to next of kin or personal representative (if known to be deceased and have contact information)
Methods of Notification to Individuals (Continued) When more than 500 individuals in a single state or jurisdiction are affected, the covered entity must notify the media (in addition to sending individual notices) Must provide notice to prominent media outlets serving the state or jurisdiction where the individuals reside Timing Without unreasonable delay and always within 60 days after discovery of breach
Breach Notification to the Secretary When 500 or more individuals (regardless of whether they are in a single state or jurisdiction) are affected, notification must be sent to the Secretary concurrently with the notification to individuals When less than 500 individuals are affected, the covered entity shall maintain a log or other documentation, and submit information to the Secretary on these breaches within 60 days after the end of the calendar year in which the breaches were discovered, as opposed to occurred Must maintain the internal log or other documentation for six years
Penalties for HIPAA Violations Tier A - the offender did not know and, with reasonable diligence would not have known, that it violated a provision. The fine is between $100 and $50,000 for each violation. Tier B - violations due to reasonable cause (knew, or with reasonable diligence would have known violation), but not willful neglect. The fine is between $1,000 and $50,000.
Penalties for HIPAA Violations (Continued) Tier C(i) - violations due to willful neglect that the entity timely corrected. The fine is $10,000 to $50,000 for each violation. Tier C(ii) - violations due to willful neglect that were not timely corrected. Fines start at $50,000. For each category of violations, the fines for all violations of an identical provision may not exceed $1,500,000 for a calendar year.
Timely Correction 30-day cure period begins on the date the entity first has actual or constructive knowledge of the violation Determined by Department based on evidence gathered during the investigation
Factors in Imposing a Penalty Nature and extent of violation, which may include, but is not limited to: Number of affected individuals Time period over which violation occurred Nature and extent of the harm, which may include, but is not limited to: Whether caused physical harm Whether caused financial harm Whether caused harm to an individual s reputation Whether hindered individual s ability to obtain healthcare
Factors in Imposing a Penalty (Continued) History of prior compliance, including but not limited to: Current violation same or similar to previous noncompliance Attempts to correct previous noncompliance Response to technical assistance from the Secretary in the context of a compliance effort Response to prior complaints
Factors in Imposing a Penalty (Continued) Financial condition, which may include but is not limited to consideration of: Financial difficulties that limit ability to comply Whether a penalty would jeopardize the ability of the entity or BA to continue to provide or pay for healthcare The size of the entity or BA Other matters as justice may require
Agents Both covered entities and business associates are liable for their agents, regardless of labels used No longer an exception when a compliant business associate agreement in place