Implementation Business Associates and Breach Notification Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com
Breach Notification Duty to notify, risk assessments, and corrective action Business Associate Agreements Monitoring of Business Associates and Subcontractors Focus of Presentation: Implementation
HIPAA Omnibus Final Rule: Important Dates Published in Federal Register January 25, 2013 Effective Date March 26, 2013 Compliance Date September 23, 2013 Conform Business Associate Agreements September 22, 2014
OCR: Largest Breaches in 2012 Hacking network server - 780,000 individuals affected Backup tapes stored at hospital cannot be found and are presumed lost - 315,000 affected Unencrypted emails sent to employee s unsecured email address - 228,435 affected Theft of laptop from employee s vehicle - 116,506 Unauthorized access to e-phi stored in database - 105,646 Hacking database stored on network server 70,000 affected
Breach Notification: Implementation OCR: We expect risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable. A risk assessment is required for both impermissible uses and disclosures Uses or disclosures that impermissibly involve more than the minimum necessary may constitute a breach.
Modification to the Breach Notification Rule: Notification to Individuals Important Clarifications include: A Covered Entity that is acting as a Business Associate should respond to a breach as a Business Associate. The obligation to disclose will rest with the Covered Entity whose PHI is compromised. Alternative Notice: Notice has not been given if a written notice is returned as undeliverable. CEs responding to a breach with more than 10 notifications returned as undeliverable may take some reasonable time to search for correct, current addresses, but must provide substitute notice as soon as reasonably possible and within the original 60-day time frame for notifications.
Breach Notification Rule: Notification to the Media HHS clarified several points regarding media notifications, including: Covered entities are not obligated to incur the cost of any media broadcast regarding the breach in question. Media outlets are not obligated to publicize each and every breach notice they receive (and a failure to publicize does not render the notice provided insufficient). CEs must deliver a press release directly to the media outlet being notified. Posting a general press release on a website is insufficient.
Breach Notification: Implementation Revise breach response policies/practices to expressly include at least the four risk assessment factors Thoroughly document risk assessment, especially an assessment finding a low probability that PHI was compromised Review vendor assessment practices and tools mindful of heightened risk that an unauthorized disclosure is a breach Do not forget that state breach notification laws often have different breach definitions and requirements Be mindful that 60 days is an outer limit Expect future OCR guidance on risk assessments
Breach Notification Burden of Proof If a risk assessment is not performed, the default is notification of the breach Burden of demonstrating low probability that PHI is compromised is on the CE/BA Decision not to notify must be documented in case of review
Breach Notification: Obligations CEs must notify individuals (although can delegate this to BAs) BAs must notify CEs Subcontractors must be obligated to notify their contracting partner so the information can go back up the chain
Breach Notification Examples of Likelihood of identification or re-identification: Risk Analysis Criteria A list of patient names not low probability Patient discharge data, patient not specified can patients be reidentified? Who is the unauthorized recipient: A HIPAA covered entity low probability, as long as you have evidence the risk has been mitigated An employer may be able to use personnel records to re-identify PHI actually acquired or viewed: Untampered with laptop low probability Information mailed to wrong person not low probability Has improper use been mitigated: Satisfactory assurances of destruction from a known person low probability
Business Associate Agreements The contract between a CE and BA must provide that the BA will: Comply with the HIPAA Privacy and Security Rule Report to the CE any security incident of which it becomes aware, including breaches of unsecured PHI as required by 164.410 Ensure that any subcontractors who create, receive, maintain, or transmit ephi on behalf the BA comply with the Rule
Business Associate Subcontractor Agreement BAs must enter into a proper downstream BAA with any subcontractors Same requirements as between the CE and BA Subcontractors are subject to limits in the initial CE/BA Agreement
BA Agreement Transition The Compliance Date for Business Associate Agreements to be compliant with the Final Rule is September 23, 2013. BUT, if CE and BA, prior to the January 25, 2013 (Publication date of Omnibus Rule), had a current BAA, the time period is extended to the earlier of: the renewal date of the BA Agreement, or September 22, 2014.
BA Agreement Transition Renewals If BAA drafted prior to January 25, 2013 is renewed or modified during the period between March 23, 2013 and September 23, 2013, it will not qualify for the full transition period and must be compliant by September 23, 2013 BUT, if a BAA is subject to automatic or evergreen renewal, it will qualify for the full transition period
Okay let s make this simple. Did you have a BAA before January 25? No. Have one by September 23.
Okay let s make this simple. Did you have a BAA before January 25? Yes. Is it up for non-automatic renewal between March 23 and September 23, 2013? Yes. Make it compliant by September 23, 2013.
Okay let s make this simple. Did you have a BAA before January 25? Yes. Is it up for non-automatic renewal between March 23 and September 23, 2013? No. Make it compliant by its renewal date or September 22, 2014 (whichever is sooner).
Okay let s make this simple. Do you have a BAA that is compliant with the regulations in the Omnibus Rule? Good job.
Questions? Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com