New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013
Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security Rules Final omnibus regulations Enforcement update Employer action items Questions 2
History of HIPAA HIPAA privacy and security rules were first announced in 1996. Since then, several rounds of regulations and guidance addressed the safeguards required for an individual s protected health information (PHI). The Health Information Technology for Economic and Clinical Health (HITECH) Act The Genetic Information Nondiscrimination Act of 2008 (GINA) Accounting of disclosure regulations The omnibus regulations pull together several of these past regulations Compliance effective date: Sept. 23, 2013 Accounting of disclosures and an individual s right to receive an access report guidance still forthcoming 3
Remembering the HIPAA Basics
What kind of personal information does HIPAA protect? Protected Health Information (PHI) is: Individually identifiable health information, including demographic information collected from an individual, that: is created or received by a healthcare provider, health plan, employer, or healthcare data clearing house; and relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payments for the provision of healthcare to an individual e-phi is PHI in electronic media, whether: At rest in a storage device o For example, computer hard drive, disk, CD, and flash drive/memory stick; OR In transit via internet, dial-up lines, etc. o For example, e-mail, File Transfer Protocol (FTP), electronic data interchange (EDI), interactive voice response (IVR), and fax back systems that transmit PHI What form can it take? Print; Electronic (including email); Oral 5
Individually identifiable If an individual can be identified using the information alone or in combination, then it is individually identifiable. Examples include the following: Consider the circumstances as well. For example, in a report by department and age, if only one in the group is over 60, that person can be identified. 6
HIPAA quiz 7
Who does HIPAA apply to? Privacy and security rules apply directly to Covered Entities Group health plans Providers who perform certain standard transactions electronically Health care data clearinghouses Business Associates with access to protected health care information* Employers are not Covered Entities; but as the plan sponsors, they must ensure their plans comply with HIPAA * Expanded under omnibus regulations 8
What is a group health plan? Medical Dental Vision Health Flexible Spending Account Prescription drugs Some employee assistance programs Note: Rules apply to both insured and self-funded arrangements 9
Types of common group health plan PHI and e-phi 10
The HIPAA Privacy Rules
Overview - Privacy Privacy Standards require that PHI be safeguarded, but primarily address: Who can have access to PHI How PHI can be used and disclosed A Covered Entity is not permitted to release or use PHI except for: Specific administrative functions Treatment Payment (e.g., eligibility or coverage determinations, claim resolution) Health plan operations (e.g., underwriting, contract renewal) Disclosures that the individual authorizes in writing Disclosures to the individual in accordance with their rights under HIPAA Disclosures made for legal or public policy reasons Creates individual rights No pre-emption of other state or federal laws that are more restrictive 12
Minimum necessary standard May disclose only minimum PHI necessary to achieve the purpose of the use or disclosure Routine disclosures: Must establish policies and procedures to limit disclosure of PHI; case-by-case review unnecessary Non-routine disclosures: Must have criteria for evaluating specific situation must be approved by the Privacy Officer Does not apply to: Disclosures made in accordance with authorization Disclosures made to the individual Disclosures required by law Disclosures for the treatment of the individual 13
Individual rights The privacy rules provide individuals (employees, retirees and dependents) with specific rights Right to notice of privacy rights, policies and procedures Right to access and/or amend their own PHI in designated record set Right to authorize non-exempt uses and disclosures Right to an accounting of non-exempt disclosures of PHI over past 6 years upon request Right to communications made by an alternative means or at alternative location when requested Right to access electronic information (changed in omnibus regulation) Right to restrict certain disclosures (changed in omnibus regulation) 14
The HIPAA Security Rules
HIPAA security rule Covered Entities must: Ensure the confidentiality, integrity and availability of all e-phi the Covered Entity creates, receives, maintains or transmits o o o Confidentiality the information will not be disclosed to unauthorized individuals or processes Integrity the condition of data or information will not be altered or destroyed in an unauthorized manner. Data from one system is consistently and accurately transferred to other systems Availability the data or information is accessible and useable upon demand by an authorized person Protect against any reasonably anticipated threats or hazards to the security or integrity of such information Ensure compliance with rules 16
Security standards Security Standards are Multidimensional Administrative Physical Safeguards Technical Security Mechanisms/Services Security Management Security Responsibility Workforce Security Information Access Management Security Awareness & Training Security Incident Procedures Contingency Plans Evaluation Business Associate Agreements Facility Access Controls Workstation Use Workstation Security Device & Media Controls Device & Media Controls Access Control Audit Control Integrity Person or Entity Authentication Transmission Security Encryption 17
10 Best security practices for users 1. Unique user ID or log-in name (user access controls) 2. Password protection 3. Workstation security 4. Security for portable devices and laptops with e-phi 5. Data management and security 6. Secure remote access 7. E-mail security 8. Safe internet use 9. Limit instant messaging 10. Protection against malicious software 18
Final Omnibus Rules
Business associate changes Definition: Entities or people performing activities that involve use or disclosure of PHI for or on behalf of a covered entity The omnibus rules include several provisions that apply to business associates and covered entities that enter into agreements with them Revise the definition of business associate; and Assign direct BA liability Require changes to business associate agreements 20
Business associate definition changes A business associate now includes the following additional entities Patient safety organizations Health information organizations, e-prescribing gateways, and other organizations that transmit PHI to covered entity (or business associate) and that require access to PHI on a routine basis mere conduits that provide courier services excepted Data storage companies (whether digital, cloud, or hard copy) that maintain PHI, regardless of whether they require regular direct access Entities that offer personal health records (PHRs) to individuals on behalf of a covered entity 21
Subcontractors BA obligations and liability extend to subcontractors Covered entity is not required to enter a direct contract with the subcontractor Business associate must have a written agreement with its subcontractor containing satisfactory assurances that the subcontractor will comply with applicable provisions of the privacy and security rules Subcontractor noncompliance requires BA action 22
Business associates extension of liability Direct liability for compliance with certain HIPAA provisions, such as impermissible uses and disclosures and failure to: Provide a breach notification to the covered entity Provide access to a copy of electronic PHI Disclose PHI where required by HHS to investigate or determine compliance with HIPAA Provide an accounting of disclosures Comply with the requirements of the security rule Noncompliance with those rules could subject the business associate to civil and criminal penalties 23
Business associate agreements HHS has provided sample BAA language Among other things, BAAs must now state that business associates will: Comply with HIPAA s security rule Comply with the HITECH Act s privacy provisions (e.g., account for disclosures, follow minimum necessary rule, comply with revised sales and marketing rules) Comply with the HIPAA privacy rule to the same extent as the covered entity Report breaches of unsecured PHI to covered entities Ensure that subcontractors agree to the same restrictions as business associate 24
Business associate agreements Status of business associate agreement Actions Compliance date HIPAA-compliant agreement in effect before 1/25/2013 HIPAA-compliant agreement in effect before 1/25/2013 HIPAA-compliant agreement in effect before 1/25/2013 Renewed or modified on or after 1/25/2013 and before 3/26/2013 Renewed or modified on or after 3/26/2013 and before 9/23/2013 Renewed or modified on or after 9/23/2013 If evergreen or automatically renewed (i.e., no changes), no later than 9/22/2014 Otherwise unclear; conservatively, by 9/23/2013 9/23/2013 Earlier of renewal / modification date or 9/22/2014 New agreement executed in 2013 but before 9/23/2013 New agreement executed on or after 9/23/2013 9/23/2013 Effective date of agreement 25
Individual rights expanded Access to electronic records Restricted disclosures Decedent s PHI Proof of immunization 26
Use and disclosure of PHI coupled with financial remuneration Marketing Refill reminders or other communications about drug/biologicals Health-related products or services Government programs Communication about treatments and health care operations and recommendations of alternative treatments, providers, and therapies Case management Fundraising Opt out option Sale 27
HIPAA Enforcement and Breaches
What is a breach? Definition: acquisition, access, use or disclosure of PHI in an impermissible manner that compromises the security or privacy of the PHI New rules: Impermissible disclosure of PHI PRESUMED to be a breach Requires risk assessment of at least the following Nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification Who used or received the PHI Whether the PHI was actually acquired or viewed Any risk mitigation measures taken Burden on covered entity (the plan) or business associate to show no breach Notification within 60 days of discovery; sometimes to media 29
HITECH ups the ante Breach notifications Negative press Loss of employee or customer trust Administrative requirements to deal with breach notification Increased HIPAA civil penalties (that now apply to Business Associates too!) Violation Category Each Violation All Such Violations of an Identical Provision in a Calendar Year (A) Did Not Know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,000 (C)(i) Willful Neglect-Corrected $10,000 - $50,000 $1,500,000 (C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000 Funds from penalties will be funneled into enforcement efforts Individuals harmed by HIPAA violations allowed to share in penalties State attorneys general given authority to bring civil actions in federal courts on behalf of their citizens 30
Enforcement HITECH requires HHS to provide for periodic compliance audits New protocols developed from 2011-2012 pilot enforcement project will be applied going forward HHS HIPAA actions on the rise 31
Employer Action Items
Business associate issues Review HHS model BAA Revise BAAs to include the new direct liability provisions Determine date by which BAAs must be amended to comply with the omnibus rule Prepare an amendment for currently executed BAAs that adds the new provisions Consider changes to policies and procedures for monitoring business associate compliance to reflect the changes to the HIPAA enforcement rules 33
Notice of privacy practices Revise NPP to reflect the final omnibus rules Statement that covered entity is not permitted to use genetic information for underwriting purposes Statement regarding the covered entity s obligations to maintain the privacy of an individual s PHI Individual s right to receive notification in the event of a breach Individual s right to access electronic records Description of the uses and disclosures of PHI that require an authorization (e.g., use of psychotherapy notes, disclosure of PHI for marketing, and disclosures that constitute a sale of PHI) Statement regarding the covered entity s use of PHI for fundraising purposes and opt out rights 34
Notice of privacy practices A health plan that currently posts its NPP on its web site must: Prominently post the material change or the revised notice on its web site by September 23, 2013 Provide the revised notice (or information about the material change and how to obtain the revised notice) in its next annual mailing to covered individuals (e.g., open enrollment) If the health plan does not post the NPP on its web site, it must provide the revised NPP (or information about the material changes and how to get the full NPP) within 60 days of the material revision to the notice Due by Sept. 23, 2013 35
Policies and procedures The definition of PHI includes genetic information Access to records can include PHI maintained electronically even if not an electronic health record A procedure is in place related to requested disclosures to third parties A provision is in place regarding handling of immunization records Breach notification reflects the new definition of breach Uses of genetic information are restricted How to respond to an individual s request to access electronic information How the plan will use or disclose decedent s PHI to family members and others involved in the care or payment of care 36
Policies and procedures Incorporate the new standards related to performing a risk assessment Correct definitions of marketing and sale are being used Include the permitted uses and disclosures related to marketing and sales (as applicable) Authorizations are updated for marketing and/or sale of PHI, if applicable If and how the entity will handle fundraising involving PHI (and a system for allowing individuals to opt out of fundraising communication) Permitted uses and disclosures for research are in place 37
HIPAA security Workforce training HIPAA Security Update HIPAA security policy and procedures Conduct comprehensive risk analysis Workforce training Update workforce training to include new provisions in the omnibus rules relevant to the group health plan, necessary changes to the organization s HIPAA policies and procedures, and breach notice training 38
Resources
Resources and how Buck can help Resources on www.buckconsultants.com Go to: Health and Productivity > HIPAA compliance Complimentary HIPAA Check-up HIPAA Training Program details FYI on HIPAA privacy and security regulations released 40
Questions?
Contacts Tami Simon, JD Managing Director, Knowledge Resource Center Washington, DC (202) 776-1004 tami.simon@buckconsultants.com Mary Harrison, JD Principal, Health and Productivity New York (212) 330-1184 mary.harrison@buckconsultants.com 42