HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1

HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various parts? Why is this important? What are the major modifications? PHI Breaches + Notifications Audits, Consequences + Penalties HIPAA Security Rule Analysis MicroMD HIPAA Compliance + Support 2

History of the Omnibus Rule Health Insurance Portability and Accountability Act (HIPAA) of 1996 Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Omnibus Rule 2013 Before HITECH, Business Associates (BAs) regulated through Business Associate Agreements (BAAs) After HITECH, BAs and subcontractors regulated directly by HIPAA Therefore, must comply with Security Rules and some Privacy Rules and provisions of BAA 3

What is the HIPAA Omnibus Rule? The HIPAA Omnibus Rule is a set of final regulations that modifies the existing HIPAA rules and implements a variety of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. There are three main parts to the HIPAA Omnibus Rule: HIPAA Privacy Rule HIPAA Security Rule HIPAA Enforcement Rule 4

What is the HIPAA Privacy Rule? The HIPAA Privacy Rule establishes national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Source: HHS.gov 5

What is the HIPAA Security Rule? The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. Source: HHS.gov 6

What is the HIPAA Enforcement Rule? The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. Source: HHS.gov 7

Why is this important? 804 PHI breaches between 2009 and 2013 These breaches involved 29.3 million patient health records 138% rise in the number of health records breached in 2013 83.2% of breaches were due to theft 22% of breaches were due to unauthorized access 35% of breaches involved an unencrypted laptop or other electronic device Source: HealthITOutcomes.com 8

What are the major modifications? Use of Personal Health Information (PHI) Patient access to electronic PHI New requirements for Business Associates and their Subcontractors Defines new Security Requirements Updated definition of PHI Breach, how to assess breach level and notification Outlines penalties 9

Use of Personal Health Information (PHI) Limitations on use of PHI for marketing + fundraising purposes Prohibits sales of PHI without individual authorization to do so Broadens patient ability to restrict disclosure of PHI to health insurance, for instance when a patient pays cash 10

Patient Access to Electronic Health Record Expands patient rights to request + receive electronic copies of their health record Ties into Meaningful Use (MU) Stage 2 Core Objective 7a: More than 50 percent of all unique patients seen by the EP during the EHR reporting period are provided timely (within 4 business days after the information is available to the EP) online access to their health information. Stage 2 Core Objective 7b: More than 5 percent of all unique patients seen by the EP during the EHR reporting period (or their authorized representatives) are able to view, download or transmit to a third party their health information. 11

Business Associates (BAs): Definition Persons who, on behalf of a Covered Entity (other than the Covered Entity s workforce) perform or assist in performing a function or activity that involves the use or disclosure of individually identifiable health information, or that otherwise is regulated by HIPAA. IT equipment, support + software vendors Leasing firms Data centers Cloud computing providers Telephony + answering service vendors Shredding vendors Billing services Transcription services Collection services Temporary employment agencies 12

Business Associates (BAs): Omnibus Impact Extends requirements for privacy and security rules to physician BAs and their subcontractors HHS Secretary authorized to receive complaints and take action against BAs and subcontractors BAs and subcontractors required to maintain own records and provide HHS access to info BAs and subcontractors subject to civil money penalties for violations BAs and subcontractors liable under contract to Covered Entity (CE) and BA 13

Business Associates (BAs): Why the changes? Before HITECH, management of PHI was loosely defined; law required to use appropriate safeguards No established standards No way to validate standards were being followed Laptops don t always have encrypted discs Users often disable or don t update virus protection Covered Entities (CEs) with limited IT resources Increasing EMR adoption 14

Business Associates (BAs): Must Document Risk Analysis Continuity Plan Security Practices and Procedures Incident Response Plan (Breaches) Records Disposal Procedure for Electronic Media and Paper Records Employee Training Program Termination Procedures Audit Logs 15

Business Associates (BAs): Musts Protect data + uphold privacy and security measures Restrict access to PHI via password Secure servers; limit access Receive and forward data automatically 128-bit encryption for reports Restrict PHI to need to know Automatic password expiration Store archives and backup in fireproof safe Mandatory HIPAA training Monitored security system Automated, securely-stored data backups Automated virus checks Properly dispose of data Delete data from BA systems at end of BA Not retain paper copies 16

Business Associate Agreement (BAA): Elements Specifies Purpose for use of PHI Functions, activities or services doing for CE BAs agree to Not use PHI outside of requirements Use appropriate safeguards Mitigate disclosure that violates BAA Report disclosures to CE Document disclosures 17

Business Associate Agreement (BAA): Elements Designates BA may use PHI for data aggregation BA may use PHI to report violations of law Notification of BA changes in PHI disclosure procedures Notification of BA of PHI use or disclosure Term and termination provision Provision that BAA applies to subcontractor BA returns or destroys PHI; retain no copies (Or, if return not feasible, specify conditions) 18

Business Associates (BAs): Violations HITECH deems a BA to violate HIPAA if BA Knows of a pattern of activity of practice Breaches their Business Associate Agreement (BAA) BA fails to cure the breach, terminate the BAA or report the non-compliance 19

Security Rules BAs + Subcontractors should already have in place security practices that either comply with the HIPAA Security Rule, or that only require modest improvements to come into compliance CEs and BAs must review and modify security measures to ensure the continued provision of reasonable and appropriate protection of PHI Specifies that the BA secure assurances of adherence from Subcontractors, not the CE Subcontractor of a BA must report security incidents, including breaches, to its BA 20

PHI Breaches + Notification Defines that improper use or disclosure of PHI should be considered a breach that would trigger official notification requirements unless the organization in question carries out a risk assessment and determines otherwise Applies to unsecured PHI not rendered unusable, unreadable or indecipherable 21

PHI Breaches + Notification Changes definition for required notification of breaches 2009: Requirement was to notify of a breach if there was significant risk of harm to the individual 2013: Any acquisition, access, use or disclosure of PHI that is not permitted under HIPAA is deemed a breach, unless the covered entity or Business Associate can demonstrate, using a 4-factor assessment, that there is a low probability that PHI has been compromised Used to be the risk of harm was the threshold when determining a breach occurred Now the Office for Civil Rights (OCR) uses presumption of a breach as the threshold, making it more likely to be required to notify of a PHI breach 22

Common Breaches Impermissible use and disclosure of PHI Lack of safeguards of PHI Lack of patient access to PHI Complaints about the CE to HHS 23

Breach Notification: Assessment 4 factors must be assessed 1. Nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI was actually acquired or viewed 4. Extent to which the risk to the PHI has been mitigated If assessment of factors fails to show a low probability that the PHI has been compromised, breach notification is required 24

Breach Notification: Examples Example 1: A laptop computer was stolen and recovered, and analysis shows the PHI on the computer was never accessed, viewed, transferred, acquired or compromised in any way Example 2: Credit card numbers and social security numbers were included on the laptop, and analysis shows the data was transferred 25

Breach Notifications: Obligations Notify impacted individuals written in plain language by written notice by first class mail (or e-mail if agreed by individual) to include: Description of how breach occurred Date of breach + breach discovery Description of compromised PHI (Data fields) Steps individuals can take to protect themselves from resulting harm Steps CE is taking to resolve and protect against further breaches Contact info of the Privacy Officer Also notify by phone or other means for urgent situations Minors: Notify parent or designated guardian Deceased: Notify next of kin Disclosure of SSN: Check with state 26

Breach Notifications: Obligations Notify Secretary of HHS Breaches involving more than 500 individuals - Submit notification online: http://ocrnotifcations.hhs.gov/ - No later than 60 days after discovery Breaches involving less than 500 individuals - Should be documented and submitted annually to HHS - Documentation of breaches should be maintained for 6 years from the last breach Notify media If involves more than 500 residents of state or jurisdiction Must be prominent media outlet No later than 60 days after discovery 27

Audits, Consequences + Penalties 28

Avoiding HIPAA Consequences Read the full rule Modify and redistribute your individual Notice of Privacy Practices Amend BAAs to add security and privacy provisions and reissue for signature Do a test run before ever encountering a breach Complete a Security Risk Assessment Identify gaps + fix Document policies + procedures Create an action plan for breaches Conduct regular internal audits Have your BAAs handy; alert your BAs Establish audit reports, schedule + print Train staff 29

Surviving a HIPAA Audit Audits have been rare; tend to occur with breach notification Initial document request period: 10 days Audits process entails: Site visit: Interview stakeholders and exam of health information systems Site audit report: Physical safeguards, daily operations, adherence to policies and HIPAA compliance Remediation: Identify gaps and prioritize fixes; CEs should start immediate good faith effort If you ve prepared + documented it, you ll show a good faith effort 30

HIPAA Security Rule Risk Analysis 5 components of the Security Risk Analysis Security Component Physical Safeguards Administrative Safeguards MicroMD Security Measures to Help N/A: These are practice safeguards Use your MicroMD software to: Control information access Review user activities Technical Safeguards MicroMD EMR Audit Controls Practice-controlled User Access Designation Login Management and Password Protection Controls Direct Secure E-mail Secure and Timely Data Sharing with Patients MicroMD ebackup Cloud-based MicroMD Policies + Procedures Organizational Requirements N/A: These are practice safeguards Business Associate Agreement with MicroMD 31

MicroMD HIPAA Compliance + Support BAAs Secure signed BAAs from each client Provide you with a signed BAA from MicroMD Secure signed BAAs from each MicroMD vendor + subcontractor HIPAA Compliance Officer: Linda Spinelli: linda.spinelli@henryschein.com Maintain HIPAA-compliant Policies Procedures Training Security Encrypted HIPAA-compliant data security for MicroMD Cloud data center Offer HIPAA-compliant ebackup service for non-cloud data back up Auditing Audit logs to track and document HIPAA-related items Client Support for questions regarding audit documentation 32

HIPAA Resources Federal Register HIPAA Final Rule, Jan 2013: http://www.gpo.gov/fdsys/pkg/fr-2013-01-25/pdf/2013-01073.pdf (138 Pages) HIPAA Survival Guide: http://www.hipaasurvivalguide.com/hipaa-omnibusrule.php AMA Summary: http://download.amaassn.org/resources/doc/washington/x-pub/hipaaomnibus-final-rule-summar.pdf 33

HIPAA Omnibus Rule Overview For additional questions, please email me at crystal.stanton@henryschein.com 34