OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules pursuant to the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) Final Modifications of the Privacy Rule pursuant to the Genetic Information Nondiscrimination Act (GINA) Other Modifications to Improve Workability of the Privacy Rule 2 1
BUSINESS ASSOCIATES Contract between CE and BA still required; however, now: BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule; directly liable for violations BAs must comply with the use or disclosure limitations expressed in its contract and those in the Privacy Rule; directly liable for violations Clarification that BAs are liable whether or not they have an agreement in place with the CE If CE delegates Privacy Rule obligation to BA (e.g., providing Notice of Privacy Practices (NPP) to individuals), contract must require BA to perform in compliance with Rule Makes CE liable for violations of BA agent, acting within scope of agency (Federal Common Law of Agency) 3 BUSINESS ASSOCIATE LIABILITY Direct liability Impermissible uses and disclosures (including more than minimum necessary) Failure to comply with Security Rule Failure to provide breach notification Failure to provide e-access as provided in BA contract Failure to disclose PHI to HHS for compliance and enforcement Failure to provide HITECH accounting (later no final rule yet) Contractual liability for requirements of the BA contract 4 2
SUBCONTRACTORS Business Associates New Rule Subcontractors Subcontractors now defined as BAs BA liability flows down the chain Does not change parties to the contracts CE must have BA contract with its BA, BA must have BA contract with subcontractor, and so forth 5 DEFINITION OF BA NEW RULE Now expressly in definition: Health Information Organizations, E-Prescribing Gateways, others that provide Data transmission services with respect to PHI and Require access on a routine basis to such PHI PHR vendors that provide services to individuals on behalf of covered entities Clarification that conduit exception does not apply to BAs that store PHI 6 3
BREACH NOTIFICATION RULE Revised Definition of Breach: Breach Presumed UNLESS: LoProCo: The CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on: Nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification); The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. Focus on risk to the data, instead of risk of harm to the individual. Risk Assessment must be documented. 7 BREACH NOTIFICATION Breach Notification to the Secretary Makes permanent the notification and other provisions of August 2009 interim final rule, with only minor changes/clarifications, e.g., Clarifies that notification to Secretary of smaller breaches to occur within 60 days of end of calendar year in which breaches were discovered (versus occurred) 8 4
500+ Breaches by Type of Breach Improper Disposal 5% Other Unknown 10% 1% Hacking/IT Incident 7% Theft 48% Unauthorized Access/Disclosure 18% Loss 11% Data as of February 2014 9 500+ Breaches by Location of Breach E-mail 4% Network Server 11% EMR 4% Paper Records 22% Portable Electronic Device 12% Desktop Computer 14% Other 10% Laptop 23% Data as of January 2014 10 5
BREACH HIGHLIGHTS September 2009 through January 2014 800 reports involving a breach of PHI affecting 500 or more individuals Theft and Loss are 59% of large breaches Laptops and other portable storage devices account for 35% of large breaches Paper records are 22% of large breaches 92,000 reports of breaches of PHI affecting less than 500 individuals 11 LESSONS LEARNED Appropriate Safeguards Prevent Breaches Evaluate the risk to e-phi when at rest on removable media, mobile devices and computer hard drives Take reasonable and appropriate measures to safeguard e-phi Store all e-phi to a network Encrypt data stored on portable/movable devices & media Employ a remote device wipe to remove data when lost or stolen Train workforce members on how to effectively safeguard data and timely report security incidents 12 6
LESSONS LEARNED Use a password or other user authentication. Install and enable encryption. Install and activate wiping and/or remote disabling. Disable and do not install file- sharing applications. Install and enable a firewall. Install and enable security software. Keep security software up to date. Research mobile apps before downloading. Maintain physical control of your mobile device. Use adequate security to send or receive PHI over public Wi-Fi networks. Delete all stored health information before discarding or reusing the mobile device. 13 OCR website: www.hhs.gov/ocr 14 7