Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.)
Overview of HIPAA Privacy and Security Changes Introduction and Overview On February 17, 2009, the President signed P.L. 111-05, the American Recovery and Reinvestment Act. Title XIII of Division A of ARRA comprises the provisions known as HITECH the Health Information Technology for Economic and Clinical Health Act. 2
Electronic Health Records Provides that Eligible Professionals who do not become Meaningful Users of Certified EHR Technology will have physician fee schedule payments reduced by 1% in 2015 2% in 2016 3% in 2017 and subsequent years 3
Electronic Health Records What is EHR? Not simply digitized paper record Key is interoperability and electronic exchange of health information 4
Electronic Health Records January 13, 2010 HHS Issues Interim Final Regulations for Certified EHR Proposed Regulations for Meaningful Use (Stage 1 Criteria) Physicians Who Are Meaningful Users of Certified EHR Eligible for Incentive Payments Must Satisfy Stage 1 Criteria Stage 2 by 2013 Stage 3 by 2015 5
Electronic Health Records Stage 1 Criteria (beginning in 2011) Electronically capturing health information in a coded format Using electronic information to track key clinical conditions Communicate information for care coordination Implementation of decision support tools to facilitate disease and medication management Reporting clinical quality measure and public health information 6
Electronic Health Records Stage 2 Criteria (beginning in 2013) Expand on Stage 1 criteria Use of HIT for continuous quality improvement at point of care Electronic transmission of orders entered using computerized provider order entry Electronic transmission of diagnostic test results 7
Electronic Health Records Stage 3 Criteria (beginning in 2015) Promote improvements in quality, safety and efficiency Decision support for national high priority conditions Patient access to self-management tools Access to comprehensive patient data Improving population health 8
Electronic Health Records Up to $44,000 per Physician from Medicare Must Satisfy by 2011 or 2012 Up to $63,750 per Physician from Medicaid if State adopts First Year Adopt, Implement or Upgrade EHR After First Year Meaningful Use 30% of Patients Medicaid Must Elect Not Hospital-based 9
Electronic Health Records Health Information Technology Initiatives President Obama s Budget Proposal Increase of $110 Million for HIT initiates at CMS Increase of $17 Million for ONC ARRA Commits $20.6 Billion over 10 Years 10
Overview of HIPAA Privacy and Security Changes Business Associates directly regulated by HIPAA Required notification of individuals whose PHI is compromised by a breach Required national education initiative Additional restrictions on certain disclosures Required accounting for certain disclosures Prohibition on sale of EHR and PHI Limitations on use of PHI for marketing 11
Overview of HIPAA Privacy and Security Changes Additional entities defined to be Business Associates Stepped up enforcement Increased penalties 12
Business Associates Prior Law: Business associates (BAs) are not directly regulated by HIPAA Instead Covered Entities were required to enter into business associate contracts with their BAs 13
Business Associates HITECH: Clarifies some relationships and expands requirements on BAs HITECH clarifies that the following are BAs: Health Information Exchange Organizations RHIOs e-prescribing Gateways PHR vendors that provide PHRs to covered entities 14
Business Associates HITECH: BAs are required to: Notify covered entities if they discover a data breach Directly comply with administrative, physical, and technical safeguards and documentation requirements under the HIPAA security rule as if they were covered entities Use or disclose PHI only if such use or disclosure is in compliance with the privacy provisions of their business associate contracts 15
Business Associates Other HITECH privacy and security requirements that apply to covered entities shall be incorporated into business associate agreement. 16
Business Associates BAs now have obligations regarding a breach by a covered entity Terminate arrangement Report the problem to HHS if termination is not feasible 17
Business Associates Subject to civil and criminal enforcement and penalties under HIPAA (in addition to contractual liability) Covered entities will need to: Revisit business associate contracts Possibly to amend business associate contracts Review and possibly revise BA vendor agreements 18
Data Breach Notification HITECH adds a new breach notification provision applies to covered entities and BA s that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI 19
Data Breach Notification Regulations published August 24, 2009 Federal Register, Vol. 74, NO. 162, Monday, August 24, 2009 Effective Date: September 23, 2009 20
Data Breach Notification Requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of HHS following discovery of a breach of unsecured PHI 21
Data Breach Notification In some cases, requires covered entities to provide notification to the media of breaches Requires BA of a covered entity to notify the covered entity of data breach involving unsecured PHI at or by BA Requires Secretary HHS to post on HHS website the names of covered entities that experience breach of unsecured PHI involving more than 500 individuals 22
Data Breach Notification Secured PHI PHI that is rendered unusable, unreadable, or indecipherable to one or more individuals. Above is accomplished if Electronic PHI is encrypted PHI destroyed 23
Data Breach Notification Encryption for data at rest consistent with: NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices Encryption for data in motion comply with: NIST Special Publication 800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementation ; 800-77 Guide to IPsec VPN s ; or 800113 Guide to SSL VPN s or others which are Federal Information Processing Standards (FIPS) 140-2 validated 24
Data Breach Notification Destruction paper, film or other hard copy have been shredded or destroyed such that PHI cannot be reconstructed electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that PHI cannot be retrieved 25
Data Breach Notification Not acceptable security access controls redaction 26
Data Breach Notification Process to determine if breach has occurred Step 1 determine if information is individually identifiable health information 27
Data Breach Notification Individually Identifiable Health Information health information collected from an individual includes demographic information is created or received by a healthcare provider, health plan, employer or health care clearinghouse AND relates to past, present or future physical or mental health or condition of an individual; or relates to the provision of health care to an individual; or relates to the past, present or future payment for the provision of health care 28
Data Breach Notification Individually Identifiable Health Information (continued) AND that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual 29
Data Breach Notification Step 2 determine if the information is PHI PHI is individually identifiable health information that is transmitted and maintained in any form or medium including electronic information 30
Data Breach Notification Not PHI de-identified information education records covered by FERPA employment records held by covered entity in its role as employer If not PHI no breach under HIPAA may be breach under state or other federal law 31
Data Breach Notification Step 3 determine whether use or disclosure violates the Privacy Rule (HIPAA Privacy Regulations) not all uses or disclosures violate Privacy Rule 32
Data Breach Notification Step 4 determine if there is a significant risk of financial, reputational or other harm to the individual 33
Data Breach Notification Exceptions to breach Information is Limited DataSet and also excludes date of birth and zip code Unintentional access by workforce member or individual acting under authority of covered entity Inadvertant disclosure by one person authorized to access PHI at covered entity or BA to another person authorized to access PHI at a covered entity, BA or organized health care arrangement as long as recipient does not further use or disclose Unauthorized disclosure when person to whom disclosure made not reasonably able to retain information 34
Data Breach Notification Discovery of Breach First day breach known to covered entity or By exercising reasonable diligence would have been known to the covered entity Covered entity has knowledge if breach is known, or by exercise of reasonable diligence would have been known, to workforce member or agent of covered entity 35
Data Breach Notification Time of required notice No later than 60 calendar days after date breach discovered by covered entity Without unreasonable delay 60 days is outer limit 36
Data Breach Notification Methods of notification written notification by first class mail electronic notice if individual agrees to electronic notice substitute notice if insufficient or out-of-date contact information fewer than 10 individuals alternative written, telephone or other means 10 or more individuals post on website for at least 90 days or conspicuous notice in major print or broadcast media 37
Data Breach Notification Content of notice brief description date of breach date of discovery description of types of PHI involved steps individuals should take to protect themselves steps entity is taking to mitigate harm contact procedures 38
Data Breach Notification Notification of Media breach involving more than 500 residents of a state or jurisdiction notify prominent media outlets in state or jurisdiction no later than 60 days after discovery 39
Data Breach Notification Notification to Secretary HHS breaches involving 500 or more individuals, notify HHS contemporaneously with notice to individuals breaches involving less than 500 individuals, maintain a log and provide to HHS 60 days after end of each calendar year 40
Data Breach Notification Enforcement Effective Date September 23, 2009 Sanctions for failure to provide required notification will not be imposed for breaches discovered before February 22, 2010 41
Data Breach Notification Vendors of Personal Health Records Breach notification rule for vendors of personal health records and related entities Federal Register, Vol. 74, No. 163, Tuesday, August 25, 2009 Regulated by Federal Trade Commission Effective September 24, 2009 Full compliance by February 22, 2010 42
Data Breach Notification Vendors of Personal Health Records Breach notification requirements similar to HHS requirements for covered entity FTC rule does not apply to HIPAA-covered entities or to BA s of HIPAA-covered entities 43
Restrictions on Certain PHI Disclosures Can no longer refuse request NOT to use or disclose PHI when: Disclosure is to health plan for carrying out payment or health care operations (not for treatment); and PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full. Previously, covered entity was not required to agree to such requested restrictions 44
Restrictions Limited Data Set and Minimum Necessary HITECH Act requires covered entities using or disclosing PHI, or requesting PHI from another covered entity, to limit disclosure of PHI to the limited data set as defined under HIPAA, or, if more information is needed, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively. 45
Restrictions Limited Data Set and Minimum Necessary Secretary to issue guidance on what constitutes minimum necessary Secretary is permitted up to 18 months to issue the new guidance However, the Act retains all the current exceptions to the existing minimum necessary disclosure standard, including disclosures made for treatment purposes and disclosure required by law This section does not apply to the use, disclosure or request of de-identified PHI 46
Restrictions Limited Data Set and Minimum Necessary Minimum Necessary and Breach Notification HHS takes the position that release of more than Minimum Necessary may be a breach requiring notification 47
Restrictions on Certain PHI Disclosures Accounting of PHI Disclosures HITECH Act removes an exception that excused covered entities from accounting for disclosures of PHI to carry out treatment, payment and health care operations. All such disclosures must be accounted for if the disclosure was made through an EHR Right to disclosures only applies to the three years prior to the date on which the accounting is requested, rather than the six years permitted under HIPAA 48
Restrictions Accounting of PHI Disclosures Effective Date for the accounting requirement varies depending on when a covered entity acquires an EHR For covered entities that had an EHR as of January 1, 2009, the new accounting rules apply to disclosures of PHI made from that EHR on and after January 1, 2014 For those covered entities acquiring an EHR after January 1, 2009, the accounting rules apply to disclosures made on and after the later of: January 1, 2011, or the actual date when it acquires an EHR Secretary has the option to postpone the compliance dates for current users to 2016 and for future users to 2013, if the Secretary determines that a later date is necessary 49
Sale of EHRs and PHI Prohibited Covered entities and BAs prohibited from receiving remuneration in exchange for any PHI of an individual without obtaining the authorization of such individual Authorization must specify whether original receiver of PHI may further exchange it for remuneration Subject to additional regulations that the Secretary is mandated to issue within 18 months after enactment of the Act Goes in effect and applies to exchanges of PHI occurring on or after 6 months after the date of promulgation of the final regulations Seven exceptions to prohibition on sale of PHI 50
Sale of EHRs and PHI Prohibited Seven exceptions apply if sale of PHI is for purposes of: 1. Public health activities (as defined under HIPAA) 2. Research, if the price paid for PHI reflects the costs of preparation and transmittal of PHI; 3. Treatment of the individual; 4. Sale, transfer, merger or consolidation of all or part of the covered entity and due diligence related to such activity; 5. For an activity that the covered entity s business associate undertakes covered by an applicable business associate agreement; 51
Sale of EHRs and PHI Prohibited 6. Providing an individual with a copy of the individual s PHI pursuant to an individual s right of access under HIPAA; and 7. Other exchanges that the Secretary, in the mandated future regulations on this subject, will deem similarly appropriate and necessary to the exceptions described above 52
Access to PHI Contained in EHR Covered entity which maintains an electronic health record with respect to PHI is required to produce a copy of such PHI in electronic format upon an individual s request if the individual so chooses, to transmit the copy directly to an entity or person designated by the individual provided the request is clear, conspicuous, and specific A fee for such service may not be greater than the covered entity s labor costs in responding to the request for the copy (or summary or explanation). 53
Restrictions on Marketing New restrictions on covered entities and BAs marketing communications to potential buyers or users of their products Any communication that encourages the recipient to purchase or use a product or service is not considered a health care operation unless it is made: to describe a product or service (or payment therefore) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; 54
Restrictions on Marketing for treatment of the individual; or for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual 55
Restrictions on Marketing The three exceptions above will not be considered health care operations if the covered entity receives direct or indirect payment in exchange for making such communications, unless: payment is for a communication regarding a drug currently prescribed for the recipient of the communication and such payment is reasonable in amount the latter requirement to be interpreted in new regulations by the Secretary. the communication is made by the covered entity and the covered entity obtains a valid authorization in accordance with HIPAA; or the communication is made by a BA of a covered entity, on behalf of such covered entity, and such communication is consistent with the applicable business associate agreement 56
Restrictions on Marketing and Fundraising Any written fundraising communication that is a healthcare operation under HIPAA is to provide in a clear and conspicuous manner an opportunity for the recipient to opt out or elect not to receive any further such communications If a person opts out, such election is to be treated as a revocation of authorization Restrictions on marketing and fundraising communications will apply to written communications occurring on or after February 17, 2010 57
Precedence over Conflicting State Laws HITECH Act supersedes contrary provisions of state laws in the same manner as a standard and implementation specification adopted under HIPAA supersedes contrary provisions of state law, unless HHS Secretary determines that such provision is necessary to prevent fraud and abuse; ensure appropriate state regulations of insurance and health plans; for state reporting on health delivery costs; or other purposes as determined by the Secretary 58
Precedence over Conflicting State Laws State provision addresses a controlled substance; HIPAA does not supersede state law if state law provisions are more stringent than requirements imposed under HIPAA HITECH Act also supersedes any inconsistent standards governing the privacy and security of individually identifiable information promulgated under HIPAA 59
New Enforcement Approaches Expands who is liable for criminal violations Expands bases for civil penalties and increased CMPs (from $25,000 to $1.5 million) Harmed individuals to receive percentage of CMP State Attorneys General may bring civil actions for criminal violations HHS Audits of covered entities and business associates required 60
For more information please contact: William H. Fischer whfischer@hollandhart.com 303-295-8338 Berna Rhodes-Ford brhodesford@hollandhart.com 702-222-2582 61