HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157

HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why Three Important Changes: Enforcement, Breach Notification Rule and Business Associates C. HIPAA Omnibus Rule Why Increased Oversight of Business Associates 2

Health Insurance Portability & Accountability Act HIPAA Governs Health Information Privacy and Health Data Security Sets standards for the electronic exchange, privacy and security of health information Issues privacy regulations governing individually identifiable health information (IIHI) Held or transmitted in any format Paper, electronic or oral 3

Health Insurance Portability & Accountability Act Individually identifiable medical information information, incl. demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual includes many common identifiers (e.g., name, address, birth date, SSN) Access to your medical records Opt-in if sharing 4

Protected Health Information The Privacy Rule protects all "individually identifiable health information"("protected health information - PHI)." held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral 5

Privacy Rule AKA Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. It gives patients more control over their health information. It sets boundaries on the use and release of health records. It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information. 6

Privacy Rule It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients privacy rights. It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made. It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure. It generally gives patients the right to examine and obtain a copy of their own health records and request corrections. It empowers individuals to control certain uses and disclosures of their health information. 7

Minimum Necessary Requirement Key protection of the HIPAA Privacy Rule Based on current practice that protected health information should not be used or disclosed when not necessary to satisfy a particular purpose or carry out a function The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. Requirements for minimum necessary are flexible to accommodate various circumstances of any covered entity. 8

Security Rule AKA TheSecurity Standards for the Protection of Electronic Protected Health Information establishes a national set of security standards for protecting certain health information held or transferred in electronic form. addresses technical and non-technical safeguards that organizations called covered entities must put in place to secure individuals electronic protected health information (e-phi). 9

What Information is Protected? The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI). The Security Rule protects a subset of information covered by the Privacy Rule all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. this information electronic protected health information (e-phi). does not apply to PHI transmitted orally or in writing. 10

Privacy Practices Notice Each covered entity, with certain exceptions, must provide a notice of its privacy practices Privacy Rule must describe the ways in which covered entity may use and disclose protected health information Notice must state covered entity s duties to protect privacy, provide notice of privacy practices, & abide by terms of current notice 11

Privacy Practices Notice Notice must describe individuals rights, incl. right to complain to HHS and to covered entity if they believe their privacy rights have been violated Notice must include a point of contact for further information and for making complaints to the covered entity Covered entities must act in accordance with their notices 12

HIPAA Covered Entities Health plans: Medical, Dental & Vision Plans, HMOs, Medicare & Medicaid, Long Term Care, Veterans Plan Health care clearinghouses: Billing services, Community Health Management Hospitals and Medical offices: Clinics, Dentists, Chiropractors, Pharmacies any health care provider who transmits health information in electronic form in connection with transactions 13

HIPAA Exceptions Group health plan with less than 50 participants administered solely by employer that established and maintains the plan Two types of government-funded programs (1) those whose principal purpose is not providing or paying the cost of health care, e.g. food stamps (2) those programs whose principal activity is directly providing health care, such as community health center or the making of grants to fund the direct provision of health care 14

Civil Money Penalties On a covered entity for a failure to comply with a requirement of the Privacy Rule Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity s failure to comply was due to willful neglect Penalties may not exceed a calendar year cap for multiple violations of the same requirement.

HIPAA A penalty will not be imposed for violations in certain circumstances, such as if: failure to comply was not due to willful neglect & was corrected during a 30-day period after entity knew or should have known failure to comply had occurred (unless period is extended at discretion of OCR); or the Department of Justice has imposed a criminal penalty for the failure to comply In addition, Office of Civil Rights (OCR) may choose to reduce a penalty if the failure to comply was due to reasonable cause and penalty would be excessive given the nature and extent of the noncompliance 16

HIPAA Criminal Penalties Person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment Criminal penalties increase to $100,000 and up to five years imprisonment if wrongful conduct involves false pretenses, & Up to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. 17

HIPAA HITECH HITECH: Health Information Technology for Economic and Clinical Health Data Breach Notification Rule Breach of unsecured protected health information Requires covered entities & business associates to notify Business Associates Health insurance agents & brokers More stringent requirements 18

Health Information Technology for Economic and Clinical Health Act Breach Notification Rule requires Covered Entities and Business Associates to provide notice when there is a breach of unsecured protected health information ( PHI ), and the breach compromises the security of the PHI in electronic form with respect to Covered Entities and Business Associates, PHI is health information that can identify individuals and that is transmitted or maintained in written, oral, electronic or any other form 19

Notice Required by Covered Entities If Covered Entity discovers (or reasonably should have discovered) a breach of unsecured PHI that compromises the security of the PHI, the Breach Notification Rule requires Covered Entity to notify each affected individual without unreasonable delay, and in any event within 60 days In cases affecting more than 500 individuals, the Covered Entity also must provide notice to HHS If more than 500 individuals in the same state or jurisdiction are affected, notice must be provided to prominent media outlets serving the state or jurisdiction. Such notice may be in the form of a press release. 20

Business Associate A person or organization, other than member of covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services 21

Business Associate However, persons or organizations are not considered business associates if their functions or services don t involve use or disclosure of protected health information and where any access to protected health information by such persons would be incidental, if at all covered entity can be the business associate of another covered entity 22

Notice Required by Business Associate If a Business Associate discovers (or reasonably should have discovered) a breach of unsecured PHI that compromises the security of the PHI, the Breach Notification Rule requires the Business Associate to notify the Covered Entity without unreasonable delay, and in any event within 60 days The business associate contract between the Covered Entity and the Business Associate may require an even shorter notice period If a Business Associate has PHI from more than one Covered Entity and it is unclear whose information has been breached, the Business Associate may need to provide notice to all potentially affected Covered Entities. 23

Disclosure of PHI Three Exceptions (1) Unintentional acquisition, access or use of PHI by an employee or individual action under the authority of a Covered Entity or Business Associate; (2) Inadvertent disclosure of PHI from one person authorized to access PHI at a Covered Entity or Business Associate to another person authorized to access PHI at the Covered Entity or Business Associate; and (3) Unauthorized disclosure in which an unauthorized person to who PHI is disclosed would not reasonably have been able to retain the information 24

HIPAA OMNIBUS RULE Effective September 23, 2013 HIPAA confidentiality obligations and enforcement New definition of Business Associate Old: uses or discloses individually identifiable health information New: creates, receives, maintains or transmits protected health information On behalf of a covered entity 25

What is a Business Associate? Person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to a covered entity Business associate functions and activities include: Claims processing or administration Data analysis, processing or administration Utilization review & quality assurance Billing Benefit management 26

What is a Business Associate? Business associate services: Legal Actuarial or Accounting Consulting Data aggregation or IT Services Management or Administrative Accreditation Financial Lab Collection Agency Message Services Cleaning Crews Unsupervised, After-Hours Services 27

Other Possible Business Associates Subcontractor + PHI = Business Associate Subcontractor = Person to whom a business associate delegates a function, activity or service Subcontractor not a workforce member 28

Obligations of Covered Entities Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce. 29

HIPAA OMNIBUS RULE Mandatory audits by HHS Covered entities Business associates Protected Health Information (PHI) need not be breached to generate an audit To the extent that Business Associates create, maintain or transmit Protected Health Information Higher degree of enforcement Document compliance Train staff Encrypt everything containing PHI Business Associate Agreements 30

Why HIPAA Omnibus Rule is Important to All Agents and Brokers Could be considered to be Business Associates if you Sell health insurance directly to an individual Sell a group health insurance plan to a business owner Have involvement in setting up or managing a self-insured plan Therefore, you need to Protect both individually identifiable health information (IIHI) and protected health information (PHI) and Have a written Security Plan and Business Associate Agreement 31

Penalties Focus is on willful neglect conscious, intentional or reckless indifference Statutory Exceptions Unintentional acquisition of PHI by Covered Entity, Business Associate or Subcontractor Inadvertent disclosure between authorized persons Good faith belief that unauthorized person could not have reasonably retained the information Penalties $100 per violation $1.5M per year for series of identical violations 32

What to Do Risk Analysis and Management Evaluate the likelihood and impact of potential risks to e- PHI; Implement appropriate security measures to address the risks identified in the risk analysis; 9 Document the chosen security measures and, where required, the rationale for adopting those measures; 10 and Maintain continuous, reasonable, and appropriate security protections. 33

HIPAA, HITECH & Omnibus Obligations HIPAA:protect health information given to covered entities HITECH:protect health information, especially in electronic form relative to breach notice Business Associates regulated by agreements with covered entity and not directly to government Omnibus:protect health information, especially in electronic form Business Associates now have a higher degree of accountability and face greater penalties from governmental enforcement Data must be breached and /or disseminated 58% breaches caused by Business Associates 34

CMS.gov Centers for Medicare and Medicaid Services 35

36

Additional HIPAA Help Virtual University: ACT: Agents Council on Technology IIABA Legal Advocacy Judi Newman, PhazeII Consulting Inc. Bill Larson, Profit Protection Management Consultants, Inc. Both provide consulting services to independent insurance agencies on a variety of management issues including data privacy and security like HIPAA/HITECH, FACTA, GLB Contact Information: 239-481-6001 or e-mail: judinewman@aol.com

HIPAA Breach Notification Rule Click hereto view the PDF. The following article, which was prepared by the law firm Jones Day, provides an overview of the changes to HIPAA that stem from the American Recovery and Reinvestment Act of 2009, click here. The following article, which was prepared by the law firm Shearman & Sterling LLP, provides an overview of the changes to HIPAA that stem from the American Recovery and Reinvestment Act of 2009, click here. The following article, which was prepared by the law firm McKenna Long & Aldridge LLP, provides information and a checklist for Business Associates to comply with the changes to HIPAA that stem from the American Recovery and Reinvestment Act of 2009, click here.

Thank You Dee Macheda dmacheda@iiabny.org (800) 851-8853, x 215