The New HIPAA: Rules and Responsibilitues

585 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
585
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The New HIPAA: Rules and Responsibilitues

  1. 1. The New HIPAA: Rules and Responsibilities March 26, 2013 Presented by John Parmigiani President John C. Parmigiani & Associates
  2. 2. • Introductions • Session Objectives • What’s it all about? • The Affected Areas that Changed • Getting Ready for Compliance • Still to Come • Conclusions • Appendices – Appendix A: Summary of Major Change Areas and Impacts – Appendix B: References • Questions & Answers © John Parmigiani, 2013 2
  3. 3. © John Parmigiani, 2013 3
  4. 4. • President, John C. Parmigiani & Associates, LLC • QuickCompliance, Inc. Senior Vice President for Consulting Services • CTGHS National Practice Director for Regulatory and Compliance Services • HCS Director of Compliance Programs • HIPAA Security Standards Government Chair/ HIPAA Infrastructure Group • Directed development and implementation of security initiatives for HCFA (now CMS)- Director of Enterprise Standards: – Security architecture – Security awareness and training program – Systems security policies and procedures – E-commerce/Internet • Directed development and implementation of agency-wide information systems, policy, and standards and information resources management for HCFA • AHIMA Privacy and Security Council; Advisory Board Guide to Medical Privacy and HIPAA; AMC Workgroup on HIPAA Security and Privacy; Content Committee of CPRI-HOST/HIMSS Security and Privacy Toolkit; Editorial Advisory Boards of HIPAA Compliance Alert’s HIPAA Answer Book and HIPAA Training Line, HIPAA Training Alert, and Health Information Compliance Alert; Chair, HIPAA-Watch Advisory Board; Train for HIPAA Advisory Board; Train for Compliance Board of Directors; HIMSS Privacy and Security Steering Committee; JCAHO/NCQA Privacy Certification Committee for BAs; Gerson Lehrman Health Experts Council; Frequent speaker at national conferences; HIPAA Summit Distinguished Service Award in 2009 John Parmigiani © John Parmigiani, 2013 4
  5. 5. © John Parmigiani, 2013 5
  6. 6. Session Objectives This session is focused on providing participants with an understanding of: • all facets of the Omnibus Rule and the impacts on your organization • how the new HIPAA differs from the old HIPAA regulatory requirements • what each of the major components means and what the federal expectation for compliance with each is • action items your category of healthcare organization must take over the next six months to attain and maintain continuous compliance © John Parmigiani, 2013 6
  7. 7. © John Parmigiani, 2013 7
  8. 8. The Omnibus Rule… Quick Synopsis: • Official Title: “Modifications to the HIPAA Privacy, Security, and Breach Notification Rules under the Health Information Technology for Clinical Health Act and the Genetic Information Nondiscrimination; Other Modifications to the HIPAA Rules” published on January 25, 2013 finalizes the following: – Interim final Breach Notification Rule (Aug. 2009) – Genetic Information Nondiscrimination Act (GINA) modifications to HIPAA (proposed Oct. 2009) – Interim final HITECH Act Enforcement Rule (Oct. 2009) – HITECH Act privacy and security provisions (proposed July 2010) • AKA : The New HIPAA © John Parmigiani, 2013 8
  9. 9. The Omnibus Rule • Regulatory Timeline leading to the Omnibus Rule: •4/14/03 - Privacy Rule •4/21/05 - Security Rule •2/17/09 - ARRA (HITECH) • 09/23/09 - Interim Final Rule for Breach Notification •11/30/09 –Enforcement  Omnibus: – • 1/25/13 –Final Rule – • 3/26/13 –Effective Date Final Rule – • 9/23/13 –Compliance Date Final Rule – Link between MU stages and privacy and security in Omnibus: – • Risk assessment – • Encryption – • new rule a delicate balance between protecting and sharing patient PHI and realizing the benefits of Health Information Technology (HIT) © John Parmigiani, 2013 9
  10. 10. Importance of IT to Health Care • Information technology is the backbone of a high performance delivery system. • Information technology enables collaborative care delivery. IT plays an important role in helping providers deliver high quality patient care and safety. • The right technology solution will enable collaboration, patient safety, and quality care. HIT is not just for the more efficient merger of data capture and handling with clinical technology but for the more effective and safe delivery of health care 10© John Parmigiani, 2013
  11. 11. HIPAA, HITECH and the Path to the EHR & HIE • HIPAA Transactions and Code Sets • HIPAA Privacy Rule • HIPAA Security Rule • National Provider Identifier • HITECH – Privacy – Security • Meaningful Use* – Standards – Certification • EMRs • EHR • HIE *David Blumenthal, MD, ONC – on meaningful use, Dec. 7, 2009: “It’s not the technology that’s important, but its effect. Meaningful use is not a technology project, but a change management project. Components of meaningful use include sociology, psychology, behavior change, and the mobilization of levers to change complex systems and improve their performance.” HIPAA Administrative Simplification 11© John Parmigiani, 2013 Strengthened requirements and enforcement
  12. 12. Privacy and Security is the Foundation for HIT Privacy and Security Health IT 12© John Parmigiani, 2013
  13. 13. HIPAA Privacy/Security Comparisons Privacy Rule • Patient-centric • PHI- electronic, paper, & oral • Awareness & Training • BA Contracts • Privacy Officer(s) • All aspects of delivering health care • Reasonableness Security Rule • Covered entity-centric • PHI- electronic • Awareness & Training • BA Contracts • Security Officer(s) • All aspects of delivering health care • Reasonableness and Appropriateness 13© John Parmigiani, 2013
  14. 14. Information System Security • Information System Security is designed to: – Protect systems and data against intrusion; – Prevent unauthorized access to or modification of information; and – Have information accessible to authorized users – Uphold the three primary corner stones of Information Security making sure that only the right people get the right information at the right time !! Integrity Confidentiality Availability Confidentiality – Information is not disclosed to unauthorized personnel Availability – Uninterrupted access to critical systems, resources, or data to authorized personnel Integrity – Protect information from unauthorized modification or destruction 14© John Parmigiani, 2013 Can have security by itself, but can’t have privacy without security! Confidentiality Integrity Availability
  15. 15. People and Technology • “To err is human; to really mess things up takes a computer” …Anonymous • “But on the other hand, there is no system in this world that a human can’t mess up, either inadvertently or on purpose”…Me 15© John Parmigiani, 2013
  16. 16. Accepted Security Principles • Need to Know (minimum use) • Least Privileges • Separation of Duties • Defense-in-Depth • Security Equation Security = People + Process + Policy + Technology + Repeated thoughtful use of these well-accepted principles reduces risk. [ Common Sense] 16© John Parmigiani, 2013
  17. 17. Why is Protecting Patient Data so Important? • People choose to disclose their most intimate information in order to get healthy • Caregivers earn their trust by guaranteeing privacy • Privacy is assured by properly protecting systems and information • Breaches undermine patient confidence • No confidence and people avoid treatment, lie or omit information, opt- out, and potentially get sicker • Medical identity theft is on the rise • Increased medical device use opens patients to safety risks through life- threatening cyber changes and malware infestation • Privacy and security are integral components of delivering safe and effective health care © John Parmigiani, 2013 17
  18. 18. What are the major Change Areas to the New HIPAA? Changes to: • Business Associates • Breach Notification • Enforcement • The Privacy Rule – Marketing – Fundraising – Sale of PHI – Research – Student Immunization Records – Decedent Information – Notice of Privacy Practices • Patient Rights • GINA (Genetic Information Nondiscrimination Act) © John Parmigiani, 2013 18 Note: The only major changes from the Security Rule perspective are that Business Associates and their subcontractors must be fully compliant with the Rule’s requirements and that BAs must be contractually bound to their subcontractors.
  19. 19. © John Parmigiani, 2013 19
  20. 20. Business Associate: before vs. now Prior to the HITECH Act, a BA was not subject to direct enforcement and compliance with HIPAA privacy and security requirements – A BA’s obligations arose solely under the terms of its BA agreement with a CE – The BA was subject only to contractual remedies for breach of the BA agreement (BAA) Under the final rule, BA now: – Direct compliance with all requirements of the HIPAA Security Rule (in the same way as CE) – Directly liable for impermissible uses and disclosures of PHI under HIPAA – Provide CE with notice of breach in accordance with the Breach Notification Rule – Required to provide access to a copy of electronic PHI to the CE (or the individual) – Provide PHI where required by the Secretary to investigate the BA’s compliance with HIPAA © John Parmigiani, 2013 20
  21. 21. New Definition for a Business Associate Business associate” means one who, on behalf of a covered entity, creates, receives, maintains or transmits PHI "Business associate" now also means "subcontractor of business associate“ who creates, receives, maintains or transmits PHI on behalf of a business associate and includes: • Patient Safety Organizations • Health information exchange organizations • eprescribing gateways, • covered entities' personal health record vendors (not all PHRs) • Data transmission providers that require access to PHI on a routine basis • Not included – those who provide mere transmission services, like digital couriers or “mere conduits” – US Postal Service © John Parmigiani, 2013 21
  22. 22. • Transcriptionists • Contract coders • Contracted laboratory and radiology departments • Third-party billers/claims processors • Collection agencies • Software vendors • Interpreters • Hospital couriers • Pharmacies with hospital contracts • Contracted cleaning staff members • Security shredding companies • Vendors • Web design contractors • Pharmacy Benefit managers • Third-party administrators • Marketing contractors • Consultants • Actuaries • Lawyers • Waste management companies • Off-site storage facilities • Auditors • Management Companies • Accreditation Organizations • PHR vendors (FTC) • HIEs • RHIOs • e-Prescribing Gateways • Cloud Companies Examples of Business Associates 22© John Parmigiani, 2013
  23. 23. • Downstream entities also must comply with Privacy and Security standards to same extent as BAs • Subcontractor – acts on behalf of BA, other than in the capacity of BA workforce member – Create receive, maintain, or transmit PHI on behalf of a BA • BA must obtain satisfactory assurances from subcontractor on privacy and security protections in the form of a BAA – CEs not required to obtain BAA from subcontractor • If BA knows of sub-BA pattern of activity or practice constituting breach of sub-BA’s obligations under BAA, BA needs to either cure the breach or terminate BAA, if feasible New BA Chain of Trust Concept 23© John Parmigiani, 2013 BAA Covered Entity Bus. Associate Subcontractor BAA
  24. 24. Cloud Companies • The regulation states that “data transmission organizations that the Act requires to be treated as business associates are those that require access to protected health information on a routine basis;… “entities that manage the exchange of protected health information through a network, including providing record locator services and performing various oversight and governance functions for electronic health information exchange, have more than ‘random’ access to protected health information and thus, would fall within the definition of business associate.” • Also, according to guidance on the HHS website : A “ software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity.” © John Parmigiani, 2013 24
  25. 25. For What are BAs Liable? • Impermissible uses and disclosures • Breach notification to covered entity • Failure to provide electronic copies of ePHI as specified in the business associate contract • Failure to disclose PHI to HHS for HIPAA investigations • Failure to provide an accounting of disclosures • Failure to comply with the applicable requirements of the HIPAA Security Rule – implement administrative, physical, and technical safeguards, establish policies and procedures, conduct risk assessments, etc. in compliance with HIPAA Security Rule the same as a CE – enter into BAAs with subcontractors imposing the same obligations that apply to BA • Failure to comply with the Privacy Rule to the extent the BA is carrying out a CE’s obligations under the Privacy Rule © John Parmigiani, 2013 25
  26. 26. © John Parmigiani, 2013 26
  27. 27. Security Incidents: Security Breach Security Incident: Unauthorized Use or Disclosure (Potential) Harm Unsecured (e.g. unencrypted or unshredded) PHI Security Breach Security Breach An unauthorized acquisition, access, use or disclosure of unsecured PHI which poses financial or other risks of harm to the individual Required to: • Conduct an investigation • Notify CE • Log/document related information Required to: • Conduct an investigation • Notify CE • Log/document related information • Notify all affected individuals 27© John Parmigiani, 2013
  28. 28. Security Incidents/Breach Reporting: Process for Handling There are a series of steps that must be undertaken in the event of a suspected or actual security incident. Identification Investigation Mitigation Notification Modifications to Policies or Procedures? Documentation 28© John Parmigiani, 2013 No two data breaches are ever exactly alike. Should be prepared for anything! Form a team Know what information has to be reported Test and refine the process
  29. 29. The New Breach Notification Rules… The Final Rule also clarifies other aspects of the covered entity’s responsibilities with respect to a breach, including:  Encryption Safe Harbor: No breach notification is required if the PHI that is improperly disclosed is encrypted pursuant to “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.”  60 Day Timeframe for Notifying Individuals: The Final Rule clarifies that the time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. © John Parmigiani, 2013 29
  30. 30. The New Breach Notification Rules  Limited Data Set Exception Removed : Previously, a breach exception existed for an impermissible use or disclosure of PHI that qualified as a “limited data set” which excluded dates of birth and zip codes (both identifiers that may otherwise be included in a limited data set). A Covered Entity or Business Associate must now perform a risk assessment following an impermissible use or disclosure of any limited data set.  Notification by Business Associate : The covered entity is ultimately responsible for providing individuals with notification of a breach, and the clock for notifying individuals of a breach begins upon knowledge of the incident, even if it is not yet clear whether the incident actually qualifies as a reportable breach. If the BA is an agent, it’s first awareness of a breach is the same time as if the covered entity became aware. © John Parmigiani, 2013 30
  31. 31. • Data At Rest – data in a database or structured storage system, electronic file or paper file, USB drive, on a laptop, etc. The guidance refers readers to NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. • Data in Motion – data that is moving through a network, including being transmitted wirelessly. Data in motion can be protected by following NIST’s Federal Information Processing Standards FIPS 140-2 and using FIPS 140-2 compliant encryption software; Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-113, Guide to SSL VPNs; 800-77, Guide to IPsec VPNs • Data Disposed – data that has been destroyed or recycled. The guidance refers to NIST special publication 800-88 Guidelines for Media Sanitization.. • Data in Use – data that is being created, deleted, updated or retrieved. This class of data is protected by the methods outlined in the other three classes listed above. Classifications of Data (applies to both paper and electronic) © John Parmigiani, 2013 31
  32. 32. PHI is secure if is rendered unusable, unreadable or indecipherable to unauthorized individuals by: 1) Acceptable* encryption and the encryption process or key has not been breached: – * the valid encryption processes for PHI in databases as specified in National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices and for PHI flowing through a network, including wireless, as specified in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; 800-113, Guide to SSL VPNs; and others validated by Federal Information Processing Standards (FIPS) 140-2. Secured PHI vs. Unsecured PHI © John Parmigiani, 2013 32
  33. 33. 2) Acceptable destruction – Paper, film, or other hard copy media shredded or destroyed so PHI cannot be read or reconstructed. Redaction is specifically excluded as a means of data destruction. – Electronic media cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization * Secured PHI vs. Unsecured PHI 33© John Parmigiani, 2013
  34. 34. • “While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by in the event of a breach.” – “On the other hand, if a covered entity has decided to use a method other than encryption or an encryption algorithm that is not specified in this guidance to safeguard protected health information, then although that covered entity may be in compliance with the Security Rule, following a breach of this information, the covered entity would have to provide breach notification to affected individuals.” “Safe Harbor” 34© John Parmigiani, 2013
  35. 35. • Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” [45 CFR 164.304, definition of 'encryption'] and such confidential process or key that might enable decryption has not been breached. • To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. • Encryption is not an acceptable measure if the keys are not separate from the data they secure, or if the data can be breached through other means. HHS Definition of Encryption 35© John Parmigiani, 2013
  36. 36. • Confidentiality is assured by a combination of the strength of the algorithm, which is publicly known, and the keys, which are kept private to encrypt messages – Asymmetric encryption is used for authentication; symmetric encryption is used for large data transfers, as it is computationally more efficient • Most experts agree data thieves are far more likely to obtain information by stealing hard-drives etc., (data at rest) instead of trying to intercept information in transit (data in motion); encryption ideal for protecting data at rest • “Deploy once, enable over time” approach best for provisioning and managing encryption applications in a combination of gateway and end-point locations – Centralized, enterprise-wide platform where encryption is “pushed” out • 128-bit encryption is minimum protection; 256-bit is as a best practice • SSL has largely been replaced with TLS (Transport Level Security) Encryption Facts © John Parmigiani, 2013 36
  37. 37. Media on which PHI is stored or recorded must be destroyed • Paper, film, or other hard copy media – Must be shredded or destroyed such that PHI cannot be read or otherwise reconstructed • Electronic media – Must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitation HHS definition of destruction of PHI 37© John Parmigiani, 2013
  38. 38. Reportable Breach… Previously, a “breach” was defined as: • The acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the protected health information. In this case, the unauthorized use or disclosure posed a significant risk of financial, reputational, or other harm to the individual. • Determination of a reportable breach by “Harm Threshold”: “Significant risk of financial, reputational, or other harm” to the individual has been replaced by: • Presumption of reportable breach, unless low probability the PHI has been compromised after risk assessment © John Parmigiani, 2013 38
  39. 39. Reportable Breach The new definition: • “Breach” - Unauthorized acquisition, access, use, or disclosure of PHI which compromises the security/privacy of such information and places the organization at risk, except when an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information or when there is: – Unintentional acquisition, access, or use of PHI by employee or individual acting under authority of CE or BA in good faith & within scope of employment or other relationship; or – inadvertent disclosure involving employees or individuals acting under authority of CE or BA; or – Inadvertent disclosure to third party not reasonably able to retain © John Parmigiani, 2013 39
  40. 40. © John Parmigiani, 2013 40
  41. 41. Determination of Risk • Need to determine when there is an alleged breach of unsecured PHI [“Unsecured” PHI is not secured through the use of a technology or methodology specified by HHS that makes the PHI unusable, unreadable, or indecipherable to unauthorized individuals] whether there was a low probability that the protected health information has been compromised {“whether or not the data involved in the breach were at significant risk of being inappropriately viewed, re‐identified, re‐disclosed, or otherwise misused” - as defined by Center for Democracy and Technology/Markle Foundation} • CE must be able to demonstrate through documentation that there was a low probability of risk determined by a through examination, that was done in good faith, and resulted in reasonable, defensible conclusions. If a low probability of risk has not been demonstrated, CE must report the breach. Also, the CE can always report the breach and not perform the risk assessment © John Parmigiani, 2013 41
  42. 42. Determining Risk Four required risk assessment factors: 1. Nature and extent of PHI involved - for example, was it: –Social security numbers, credit cards, financial data (risk of identity theft or financial fraud) –Clinical detail, diagnosis, treatment, medications –Mental health, substance abuse, sexually transmitted diseases, pregnancy 2. The unauthorized person who used the PHI or to whom the disclosure was made – does that person have obligations to protect it? 3. Whether the PHI actually was acquired or viewed – a laptop, lost or stolen, but shown by forensics not to have been opened or PHI accessed 4. The extent to which the risk to the PHI has been mitigated – reasonable assurance that information will not be disclosed or used or was destroyed © John Parmigiani, 2013 42
  43. 43. Possible “Low Risk” Situations of Unauthorized acquisition, access, use, or disclosure are: • Only patient name and fact that services were provided • None of the 16 limited data set identifiers nor zip code or date of birth of patient were disclosed • De-identified PHI that was at risk of being re-identified was disclosed • PHI received or used by another CE or BA subject to HIPAA • PHI received or used by Federal Agency subject to Privacy Act of 1974 and FISA of 2002 • PHI received by third party and immediate steps were taken to mitigate an impermissible use or disclosure and third party gave assurances that the information would not be further used or disclosed and would be destroyed • PHI was received by a third party and returned with evidence that the privacy and security of the PHI was not compromised (e.g., laptop recovered with forensic analysis to confirm) © John Parmigiani, 2013 43
  44. 44. © John Parmigiani, 2013 44
  45. 45. New Enforcement Efforts and Priorities • Civil Monetary Penalties (and Resolution Agreements) • Violations categorized • Tiered ranges of civil money penalty amounts 45© John Parmigiani, 2013
  46. 46. Increased Enforcement •Who may investigate: • HHS Office for Civil Rights • State attorneys general • U.S. Department of Justice •How will investigation begin: • Complaint • Compliance review • Breach report © John Parmigiani, 2013 46
  47. 47. The New Enforcement Rules and Penalties… • Applies to Covered w Entities and Business Associates • New Focus on Willful Neglect • Willful neglect: Conscious, intentional failure, or reckless indifference to comply • OCR will investigate all cases where a “preliminary review of the facts indicates a possible violation due to willful neglect” and also conduct a compliance review with discretion to investigate any other complaints (with some possible unintended consequences – additional CMPs and corrective action plans) • OCR will impose penalty on all violations due to willful neglect © John Parmigiani, 2013 47
  48. 48. The New Enforcement Rules and Penalties • OCR may proceed to penalty without seeking informal resolution (e.g., settlement - resolution agreement and/or corrective action plan) • Corrective Action Plans  Typically three years • Independent audits (annually) • Fixing shortfalls • Training • Policies and procedures • Administrative, physical, and technical safeguards – © John Parmigiani, 2013 48
  49. 49. Enforcement Changes with the Omnibus Rule New Definitions • Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. • Reasonable diligence is an alternate term for due diligence. It means the care and attention that is expected from and is ordinarily exercised by a reasonable and prudent person under the same circumstances. • Willful neglect means the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur but also encompasses a conscious intent or degree of recklessness with regard to its compliance obligations. 49© John Parmigiani, 2013
  50. 50. Enforcement: New Penalties… • Tier A (Did Not Know) CE/BA did not know and, with reasonable diligence, would not have known of violation and would have handled the matter differently if it had. This results in a $100 - $50,000 fine for each violation, and the total imposed for identical violations cannot exceed $1,500,000 for the calendar year • Tier B (Reasonable Cause) is for violations due to reasonable cause, but not “willful neglect.” Anything between “did not know” and “willful neglect”. The result is a $1,000 - $50,000 fine for each violation, and the fines cannot exceed $1,500,000 for identical violations for the calendar year. 50© John Parmigiani, 2013
  51. 51. Enforcement: New Penalties • Tier C (Willful Neglect – Corrected within 30 days) is for violations due to willful neglect that the organization corrects within a 30-day time period. The result is a $10,000 - $50,000 fine for each violation, and the fines cannot exceed $1,500,000 for identical violations for the calendar year. • Tier D (Willful Neglect – Not Corrected within 30 days) is for violations of willful neglect that the organization did not correct within a 30-day time period. The result is a $50,000 fine for each violation, and the fines cannot exceed $1,500,000 for identical violations for the calendar year. 51© John Parmigiani, 2013
  52. 52. Factors for Determining the Amount of a Civil Monetary Penalty (CMP)  The nature of the claims and the circumstances under which they were presented,  Number of individuals affected  Time period of the violation  The degree of culpability,  History of prior HIPAA compliance (including previous indications of noncompliance),  Financial condition of the person presenting the claims, and  “Such other matters as justice may require.” © John Parmigiani, 2013 52
  53. 53. Enforcement by State Attorney Generals • AG’s are authorized to seek injunctions, and seek damages on behalf of residents of the state • Damages = # of violations x $100, up to $25,000 per year for identical violations • Courts authorized to award attorneys fees • OCR has conducted HIPAA enforcement training for state AG’s • AG’s in many states may view HIPAA enforcement as related to their historic interests in consumer protection • AG’s also have an interest in thwarting identity theft, which they see as logically related to security breaches • Some AG’s may see potential for political gain in pursuing prominent targets 53© John Parmigiani, 2013
  54. 54. Criminal Penalties Department of Justice administered(knowingly obtaining or disclosing PHI in violation of HIPAA): • –$50,000 and/or up to one year imprisonment • –$100,000 and/or up to five years imprisonment if false pretenses • –$250,000 and/or up to ten years imprisonment if commercial advantage, personal gain, or malicious harm © John Parmigiani, 2013 54
  55. 55. © John Parmigiani, 2013 55
  56. 56. Marketing… • Originally, under HIPAA, marketing uses of PHI required prior patient authorization; however, communications sent by CEs for treatment or to recommend additional benefits or services were not marketing. • Now, prior authorization from the patient required for using or disclosing PHI where the CE or BA receives financial remuneration for making a marketing communication from the third party whose product or service is being promoted © John Parmigiani, 2013 56
  57. 57. Marketing… • Authorization must disclose that the communication is paid for • Covered entities can use a general authorization for all such communications or do it on a case‐by‐case basis – Note: in general, always need an authorization for any subsidized communication • Exceptions: • Refill reminders © John Parmigiani, 2013 57
  58. 58. Marketing Exceptions (cont’d.): • Subsidy allowed for currently prescribe drug or biologic; includes generics – Subsidy must be reasonably related to cost of making the communication (cannot make a profit) • Face-to-face communications remain exempt with no requirement for any subsidy to be reasonable (related to labor, supplies and postage) • Communication consisting of promotional gifts of nominal value provided by the covered entity remain exempt © John Parmigiani, 2013 58
  59. 59. Fundraising… Currently, a Covered Entity may use, and disclose to a business associate or institutionally related foundation, limited PHI to raise funds for the entity and disclose demographic information (name, address, other contact information, age, gender, and date of birth) as well as the dates of health care provided , qualified under Omnibus as follows: • Fundraising may only make use of PHI to promote the entity (not to benefit a third party) • Expanded types of PHI able to be used for fundraising – includes department of service, treating physician, health insurance status, and outcome; added to demographic information (name, address, other contact information, age, gender, and date of birth); dates of health care provided © John Parmigiani, 2013 59
  60. 60. Fundraising  Requires clear and conspicuous opt-out, that must be honored  Can notify of opt-out in initial communication; can do overall opt-out as well; instructions must be clear  Cannot condition treatment on not opting out  Can provide method for opting back in © John Parmigiani, 2013 60
  61. 61. Sale of PHI… • Sale of PHI: a disclosure of PHI where the covered entity or business associate directly or indirectly receives remuneration (financial and non-financial) from or on behalf of the recipient of the PHI in exchange for the PHI, subject to exceptions – Covered entities and business associates may not sell PHI • Authorization generally required, with notice that disclosure of PHI is in exchange for payment and/or nonfinancial benefits • Exceptions for: – Public health © John Parmigiani, 2013 61
  62. 62. Sale of PHI • Exceptions (cont’d.): – Research purposes – remuneration must be reasonably related to the cost of preparing and transmitting information (can include indirect costs but cannot make a profit) – Treatment and payment – disclosure of PHI to receive payment is not a “sale” of PHI – Corporate transactions – sale of a covered entity or related due diligence – Disclosures to business associates – Disclosures to the individual for access and accounting of disclosures – Disclosures required by law – Other disclosures permitted by the rules, provided remuneration is reasonable and related to cost of making the disclosure © John Parmigiani, 2013 62
  63. 63. Research… Researchers have long sought changes to both HIPAA and the Common Rule to ease the uses of patient data for research purposes • The Common Rule Advanced Notice of Proposed Rule Making was released on July 25, 2011 – the changes under consideration seek to ensure the highest standards of protections for human subjects involved in research, while e– Allow remuneration for transfers of PHI for research (must be reasonable fee based on costs) © John Parmigiani, 2013 63
  64. 64. Research Omnibus Rule has brought about some favorable changes for the health research community: • Allowance of compound authorizations but must differentiate between conditioned and unconditioned portions – Unconditioned authorization must be “opt-in” • Authorizations no longer have to be study‐specific; can have an authorization for future research as long as the description of the future research uses is sufficiently clear that it would be “reasonable for an individual to expect that his/her PHI could be used or disclosed for such future research © John Parmigiani, 2013 64
  65. 65. Student Immunization Records • Covered entity may release student immunization records to school without authorization –If state law requires the school to have immunization record –if a written or oral agreement, it must be documented © John Parmigiani, 2013 65
  66. 66. Decedent Information • No longer PHI 50 years after death (specific exclusion from definition of PHI) • Covered entity may disclose PHI to persons involved in decedent’s care or payment if not contrary to prior expressed preference © John Parmigiani, 2013 66
  67. 67. Notice of Privacy Practices (NOPP) Must add: • Prohibition on sale of PHI • Duty to notify affected individuals of a breach of unsecured PHI • Right to opt out of fundraising (if applicable) • Right to restrict disclosure of PHI when paid out of pocket • Limit on use of genetic information (certain health plans only) © John Parmigiani, 2013 67
  68. 68. © John Parmigiani, 2013 68
  69. 69. Increased Patient Rights… • Patients are the “owners” of their health information, covered entities are the “custodians” of that information • The revisions to the HIPAA Privacy Rule under Omnibus gives even more control of a patient’s PHI to the patient. • The push under HITECH toward robust EHR systems and the extensive sharing and interchange of PHI is heavily dependent on “trust” by the patient; hence, the necessity for giving patients a greater say in how their health information is used, disclosed, and factors into care givers, health plans, and research operations. This contract with the patient by the healthcare community is generally put forth in a Notice of Privacy Practices, delineating an “expectation” of how a patient’s PHI will be safeguarded from unauthorized and impermissible actions. © John Parmigiani, 2013 69
  70. 70. Increased Patient Rights… Right of Access: Electronic Copy • Individual continues to have right to copy of designated record set in the requested form or format, if readily producible • If not readily producible, then: – If designated record set is maintained electronically, individual has right to electronic copy (new) – If designated record set is maintained in hard copy, individual has right to hard copy  Individual may designate third party to receive copy – Must be in writing – Clearly identify the designated person – Clearly identify where to send the copy © John Parmigiani, 2013 70
  71. 71. Increased Patient Rights… Restriction for Out‐of‐Pocket Services • Covered entity must agree to individual’s request to restrict disclosure of a product or service they received to health plan  Providers are not required to notify other providers of restrictions – For payment or health care operations – Unless disclosure is required by law – If individual (or 3rd party) pays for item or service out of pocket in full • Responsibility for notifying other providers falls on the patient  Payment from a flexible spending account or health savings account is considered out-of- pocket payment  Providers can require up-front payment in full or where precertification from a health plan is required before treatment. © John Parmigiani, 2013 71
  72. 72. Increased Patient Rights… Restriction for Out‐of‐Pocket Service • Carrying out this requirement could prove difficult, in large part, because many EHR, e-prescribing, and other information systems lack features that easily allow segments of data to be flagged or withheld from electronic transmission. • Communication with software vendors is critical, if this requirement is to be efficiently implemented in an ever-increasing electronic healthcare environment • Providers may need to develop an interim process and explain to patients selecting this option what patient responsibilities are and potential downstream coordination may be required © John Parmigiani, 2013 72
  73. 73. © John Parmigiani, 2013 73
  74. 74. GINA Edicts… Genetic Information Nondiscrimination Act of 2008 (“GINA”) – Notice of Proposed Rule Making (GINA Rule) October 7, 2009  Genetic information is considered PHI o Genetic information is: –Individual’s genetic tests –Genetic tests on family members of the individual –Manifestation of disease in a family member –Request for or receipt of genetic services or participation in research that includes genetic services • Prohibits genetic discrimination in health insurance and employment © John Parmigiani, 2013 74
  75. 75. GINA Edicts • Omnibus Rule implements GINA by: – Declaring genetic information (defined in GINA) to be PHI – Prohibiting most health plans covered by HIPAA from using or disclosing PHI that is genetic information for underwriting – Requiring plans to notify beneficiaries about this restriction in the NOPP • Exception for long‐term care insurers, who can use genetic information for underwriting © John Parmigiani, 2013 75
  76. 76. © John Parmigiani, 2013 76
  77. 77. • Risk-based assessment – Inventory of PHI (paper and electronic) – Identify installed safeguards – Security management process • Secure PHI per DHHS recommendations – Unusable, indecipherable, unreadable: NIST encryption algorithms for data “at rest” and “in motion”; NIST destruction methods > “Safe Harbor” – De-identify when feasible • Breach identification, protection, and notification procedures  Know what your state(s)’ breach notification laws require and synchronize with the federal requirement where possible and use current security incident process and Red Flag Rules’ notification process as building block • Form a response team and test the response process What all CEs, BAs, and Subs should be doing be ready for Compliance by 9/23/2013… 77© John Parmigiani, 2013
  78. 78. • Train staff • Strengthen contracts/ vendor support • Establish “rules of engagement” for all who come in contact with your PHI – Vendors – Contractors – Temporary staff – Volunteers • The best way to prevent liability under the new requirements is to show past and continuing compliance – entities should take steps before a violation occurs to prevent violations and ensure that compliance is adequately documented. What all CEs, BAs, and Subs should be doing be ready for Compliance by 9/23/2013 78© John Parmigiani, 2013
  79. 79. • Business associates and their subs are required to directly comply with the provisions under the HIPAA Security Rule: – Administrative standards – Physical standards – Technical standards and – Policy, procedures, and documentation requirements • As if they were covered entities • Burden is on BAs to obtain “satisfactory assurances” from their subs that they will comply with applicable requirements of the HIPAA Privacy and Security Rules – Subs need to be contractually bound with BAA-like document • Need to engage in security compliance process beginning with risk analysis and risk management - Performing a risk analysis and generating a corresponding risk management plan is a critical first step. - See References What must BAs and their Subcontractors Do… 79© John Parmigiani, 2013
  80. 80. HIPAA Privacy Rule Compliance • Business associates and their subs may use and disclose PHI only if such use or disclosure is in compliance with each applicable requirement of the privacy provisions of their business associate contracts • Business associates should revisit existing processes relating to privacy requirements under their business associate contracts and also include such stipulations in contracts with subs What must BAs and their Subcontractors Do 80© John Parmigiani, 2013
  81. 81. • Identify all of your BAs – may need to your accounts payable file to determine if any those that you do business with are BAs • Probable actions/add-ons to BAA: – adding compliance with the HIPAA Privacy and Security Rules to the BAA – creating a breach notification process and add compliance with it in the BA contract; may want to specify within X days (5?) of discovery to notify – consider a one-size-fits-all BA contract, that can be further tailored, if necessary to incorporate additional provisions that may be required through regulations adopted by HHS (e.g., allow for unilateral modification of the Agreement to the extent necessary to comply with changes in the law) – Indemnification of CE for any reasonable expenses CE incurs in notifying individuals of a breach caused by Business Associate or its subcontractors or agents CEs should be doing now vis a vis BAs… 81© John Parmigiani, 2013
  82. 82. • Specifying that BAs should bind their subcontractors to comply with HIPAA/HITECH requirements and obtain “satisfactory assurances” that they are doing so • Establish good working relationships with their BAs – Who to contact – Occasional meetings/dialogue to ensure working in sync • obtaining a BAA from the subcontractor is a responsibility of the BA not the CE; • Also, the CE should be able to review the BAs practices, policies, and procedures upon request CEs should be doing now vis a vis BAs 82© John Parmigiani, 2013
  83. 83. • Identify all of your subcontractors that touch your and the CEs you serve PHI • Craft your own BAA or BAC – type document for your subcontractors • Develop a breach (security incident) process • Design a notification process that seamlessly feeds into your covered entities and incorporates your subs • Develop and implement a security program BAs should be doing now… 83© John Parmigiani, 2013
  84. 84. • Establish policies and procedures that address each Security Rule standard • Implement a security awareness and training program – Limiting Risks through the “Three E’s”: • Establish policies and procedures • Educate employees • Enforce policies • Designate a security official • Conduct a risk analysis • Establish and implement a security management process BAs should be doing now 84© John Parmigiani, 2013
  85. 85. Summary of Major To-Dos by Specific Type of Organization… Providers  Look at policies, procedures, training and make necessary revisions  Train staff  Revise NOPP  Review and update your list of BAs  Communicate With BAs Regarding New Obligations  Update BA contracts © John Parmigiani, 2013 85
  86. 86. Major To-Dos by Specific Type of Organization… Health Plans • Make sure the HIPAA Privacy and Security policies and procedures are updated ass necessary • Revise NOPP, emphasizing the prohibition from using or disclosing PHI that is genetic information of an individual for underwriting purposes and, at next annual mailing, provide either the notice or the material changes • Post the revised NOPP on website • Train staff on the new regulations © John Parmigiani, 2013 86
  87. 87. Major To-Dos by Specific Type of Organization Business Associates • Do Security Risk Assessment • Establish policies and procedures to be in accordance with CE obligations and the HIPAA Security Rule • Communicate with subcontractors regarding new obligations • BAA contracts with subcontractors Amendments • Train workforce • Appoint a Security Officer © John Parmigiani, 2013 87
  88. 88. © John Parmigiani, 2013 88
  89. 89. Still to Come… • HITECH Act Accounting of Disclosures/Access Report Rule (proposed May 2011) • Guidance on minimum necessary standard • Amendments to Clinical Laboratories Improvement Amendments (CLIA) and HIPAA (proposed Sept. 2011) • Common Rule Advance Notice of Proposed Rulemaking (published July 2011) © John Parmigiani, 2013 89
  90. 90. Still to Come • Breach bills, etc. – At the federal level: work toward national, robust, preemptive (rather than a floor-level) regulatory requirements • Data Security and Breach Notification Act (Pryor-AR/Rockefeller- WV) • Personal Data Privacy and Security Act Leahy- Vermont) • National Data Security Breach Notification Law (Mack-CA) – At the state level, always trying to keep pace with new threats to sensitive data • MA Data Privacy Law, considered most stringent • 47 states (Data Protection Acts) + DC, Puerto Rico • Strengthened as new threats emerge © John Parmigiani, 2013 90
  91. 91. © John Parmigiani, 2013 91
  92. 92. And the Beat Goes On… • The Omnibus Rule has extended the strength of HIPAA, but there will always be future refinements and regulations that help to implement the provisions of the law that must be developed and enacted • The Omnibus Rule builds on the foundation that should be in place by compliance with HIPAA Privacy and Security – There will, of necessity, be some modifications and/or new processes required to fully meet HITECH changes as the nation moves toward a more fully engaged E-Health environment 92© John Parmigiani, 2013
  93. 93. And the Beat Goes On • Compliance is not a project but an ongoing process. • We are in an era of increased enforcement with heightened penalties for non-compliance. CEs, BAs, and any organization that handles/has access to PHI should always be “audit ready”. • HHS and OCR have as their major focus that healthcare organizations strive toward a “culture of compliance”, • And, last but not least… 93© John Parmigiani, 2013
  94. 94. Remember that… • You are all patients at some point in time- how would you like to be treated and/or your healthcare information to be protected?...the Golden Rule • You and your organization will judged by the courts and the enforcement agencies by whether you exercised “due diligence” toward HIPAA and other regulatory compliance requirements. A critical piece of “evidence” will be your documentation. 94© John Parmigiani, 2013
  95. 95. John Parmigiani 410-750-2497 jcparmigiani@comcast.net www.johnparmigiani.com © John Parmigiani, 2013 95
  96. 96. © John Parmigiani, 2013 96
  97. 97. Appendix A Summary of Major Change Areas and Impacts
  98. 98. Summary of Major Change Areas and Impacts – Breach Notification New Requirement • New definition of breach • “Harm Threshold” replaced by “probability” that PHI has been compromised • Burden of proof still on the covered entity • No longer an exception for limited data sets that did not contain birth dates and zip codes • Federal law is still a “floor preemption” and can be trumped by a more stringent state law that is not contrary Impact • CEs and BAs can either notify or conduct a risk assessment to determine the probability that the PHI in question for any security incident was compromised, after which they can either decide to notify or not to notify • All work must be documented • Steps to mitigate the risks to the PHI must be included in the assessment • If the probability is not low, must notify • CEs and BAs must update their policies and procedures and retrain their workforces© John Parmigiani, 2013 98
  99. 99. Summary of Major Change Areas and Impacts – Business Associates New Requirement • New and expanded definition of a business associate – one that creates, receives, maintains, or transmits PHI on behalf of a covered entity • New types added:  Patient Safety Organizations  Health Information Organizations (HIO)  E-Prescribing Gateways  Vendors of Personal Health Records  Any other person that “provides data transmission services with respect to PHI to a covered entity and that requires routine access to such PHI” • Sub-contractors to BAs are now BAs Impact • New BAs and existing BAs are now covered under the same requirements for compliance with HIPAA/HITECG Security and Privacy as well as breach notification requirements • CEs must rewrite their contracts to include these compliance areas • Subcontractors must be bound by contract to also be compliant © John Parmigiani, 2013 99
  100. 100. Summary of Major Change Areas and Impacts – Increased Enforcement New Requirement • New, increased Civil Monetary Penalties and the notion of “willful neglect -conscious, intentional failure or reckless indifference.” • Criminal penalties still same Impact • OCR must investigate all cases of possible willful neglect • If a willful neglect violation is proven, OCR must impose a penalty © John Parmigiani, 2013 100
  101. 101. Summary of Major Change Areas and Impacts – Patient Rights New Requirement • Restriction of disclosure for out-of- pocket payments • Authorizations required for copies of PHI sent to third parties • Electronic copies of PHI must now be made available Impact • CEs must agree to an individual’s request to restrict disclosure to a health plan if the individual pays in full for a service; can be selected service(s) from an treatment encounter • Authorization must be in writing and signed by patient, clearly identifying the recipient and his location • CE must be able to provide an electronic copy; hard copy can also be requested © John Parmigiani, 2013 101
  102. 102. Summary of Major Change Areas and Impacts – Notice of Privacy Practices New Requirement • Notice of Privacy Practices Impact • CEs must change their notice of privacy practices to include: • Prohibition of sale of PHI • Duty to notify in case of a breach • Right to opt out of fundraising • Right to restrict disclosure for out-of-pocket payments • Limit on use of genetic information for underwriting (health plans) © John Parmigiani, 2013 102
  103. 103. Summary of Major Change Areas and Impacts – Uses and Disclosures of PHI New Requirement • Fundraising  Fundraising may only make use of PHI to promote the CE (not to benefit a third party)  Expanded types of PHI able to be used for fundraising – includes department of service, treating physician, and outcome Impact  Requires clear and conspicuous opt- out, that must be honored  Can notify of opt-out in initial communication; can do overall opt- out as well; instructions must be clear  Cannot condition treatment on not opting out  Can provide method for opting back in © John Parmigiani, 2013 103
  104. 104. Summary of Major Change Areas and Impacts – Uses and Disclosures of PHI New Requirement • Research – Authorizations no longer have to be study‐specific; can have an authorization for future research as long as the description of the future research uses is sufficiently clear that it would be “reasonable for an individual to expect that his/her PHI could be used or disclosed for such future research” – CEs may combine “conditioned” and “unconditioned” authorizations for research to simplify authorization paperwork. Impact  Notification to the individual is required that authorization could be used for future research • The authorization must differentiate between these two portions. • Unconditioned authorization must be opted in. © John Parmigiani, 2013 104
  105. 105. Summary of Major Change Areas and Impacts – Uses and Disclosures of PHI New Requirement • Student Immunization Records – Covered entity may release student immunization records to school without an authorization Impact • If the state law requires school to have the immunization record • Written or oral agreement (must be documented) from person or parent or a person acting in loco parentis for the individual © John Parmigiani, 2013 105
  106. 106. Summary of Major Change Areas and Impacts – Uses and Disclosures of PHI New Requirement • Decedent Information  No longer PHI 50 years after death (specific exclusion from definition of PHI) Impact  Covered entity may disclose PHI to persons involved in decedent’s care or payment if not contrary to prior expressed preference © John Parmigiani, 2013 106
  107. 107. Summary of Major Change Areas and Impacts – Uses and Disclosures of PHI New Requirement  Marketing  prior authorization from patient required for using or disclosing PHI where the CE or BA receives financial remuneration for making a marketing communication from the third party whose product or service is being described  Exceptions: Refill reminders ; subsidies allowed for currently prescribed drug or biologic; includes generics; Face-to-face communications; Communication consisting of promotional gifts of nominal value provided by the covered entity Impact • Authorization must disclose that the communication is paid for • Covered entities can use a general authorization for all such communications or do it on a case‐by‐case basis Note: in general, always need an authorization for any subsidized communication © John Parmigiani, 2013 107
  108. 108. Summary of Major Change Areas and Impacts – Uses and Disclosures of PHI New Requirement • Sale of PHI – Authorization generally required, with notice that disclosure of PHI is in exchange for payment; includes nonfinancial benefits Impact • Exceptions – Public health – Research purposes – remuneration must be reasonably related to the cost of preparing and transmitting information (can include indirect costs but cannot make a profit) – Treatment and payment – disclosure of PHI to receive payment is not a “sale” of PHI – Corporate transactions – Disclosures to business associates – Disclosures to the individual – Disclosures required by law – Other disclosures permitted by the rules, provided remuneration is related to cost of making the disclosure © John Parmigiani, 2013 108
  109. 109. Appendix B References
  110. 110. References… 1)The Omnibus Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule 45 CFR Parts 160 and 164 http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013- 01073.pdf © John Parmigiani, 2013 110
  111. 111. References… 2)OCR HIPAA/HITECH Website HHS website: http://www.hhs.gov/ocr/office/index.html •Breach Notification Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachno tificationrule/index.html •Health Information Technology for Economic and Clinical Health (HITECH) Act http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/ index.html © John Parmigiani, 2013 111
  112. 112. References • OCR published a Final Guidance on Security Rule Risk Analysis Requirements on August 2, 2010 (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securi tyrule/rafinalguidance.html ) 3)SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS http://www.hhs.gov/ocr/privacy/hipaa/understanding/coverede ntities/contractprov.html 4)NIST HIPAA security rule toolkit http://scap.nist.gov/hipaa/ 5)HIPAA Audit Protocol http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/prot ocol.htm © John Parmigiani, 2013 112
  113. 113. Do you have a question that you would like answered during the Q&A session? Simply follow the instructions below. To ask a question, please press *1 on your touchtone phone. If you are using a speaker phone, please lift the receiver and then press *1. If you would like to withdraw your question, press *1.
  114. 114. Copyright Consent Information This presentation is a copyrighted document. As the registered attendee, you are hereby granted permission to copy and distribute this presentation to your colleagues who attend this audio conference. Please list these conference attendees using the form below and fax this page to (800)-759-7179 Name E-mail Address Title _____________________ ____________________________ ____________________ _____________________ ____________________________ ____________________ _____________________ ____________________________ ____________________ _____________________ ____________________________ ____________________ _____________________ ____________________________ ____________________ _____________________ ____________________________ ____________________ *Feel free to duplicate this page for additional attendees. *Please print clearly 3-26-2013 The New HIPAA: Rules and Responsibilities
  115. 115. This presentation is intended solely to provide general information and does not constitute legal advice. Attendance at the presentation or later review of these printed materials does not create an attorney-client relationship with the presenter(s). You should not take any action based upon any information in this presentation without first consulting legal counsel familiar with your particular circumstances.

×