HIPAA Omnibus Rule: Critical Changes for Business Associates


Published on

On January 25, 2013, the Office for Civil Rights (OCR) published their long-awaited updates to the HIPAA Privacy and Security Rule, the Omnibus Rules. These new rules are the first update of the HIPAA Privacy and Security Rules since the regulations were first published.

Join BridgeFront and leading consultant and attorney, Susan A. Miller, JD in this presentation that addresses the critical updates and changes that affect business associates.

The Omnibus Rules becomes effective March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA Omnibus Rule: Critical Changes for Business Associates

  1. 1. HIPAA Omnibus Rule Critical Changes for Business Associates Presented by Susan A. Miller, JD Hosted by
  2. 2. agenda • • • • • • • What the Omnibus Rule includes Effective and Compliance Dates Business Associates Breach Notification Genetic Information Non-discrimination Act (GINA) Enforcement Questions
  3. 3. Dates + 4 Rules The Omnibus Final Rule is effective on March 26, 2013 and the compliance date is September 23, 2013: • July 2010 Notice of Proposed Rule Making (NPRM) on HITECH privacy and security changes to HIPAA • October 2009 Notice of Proposed Rule Making (NPRM) on Genetic Information Nondiscrimination Act (GINA) changes to HIPAA • August 2009 Interim Final Rule (IFR) on HIPAA Breach Notification • October 2009 Interim Final Rule (IFR) on HIPAA Enforcement Rule
  4. 4. Business Associates Under HITECH Who is a Business Associate? ● ● Omnibus Final Rule: An entity that “…creates, receives, maintains, or transmits [PHI] for a function or activity regulated by [HIPAA]…” on behalf of a Covered Entity Omnibus Final Rule expanded the definition of Business Associates to include: ● ● ● ● ● ● Health Information Organizations E-prescribing Gateways Personal Health Records (PHR) providers on behalf of a Covered Entity Patient Safety Organizations Subcontractors that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of Business Associates Subcontractor means a person whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate
  5. 5. New Business Associate Obligations Summary of BA Obligations Prior to HITECH ● Prior to the HITECH Act, a BA was not subject to direct enforcement and compliance with HIPAA Privacy and Security requirements ● A BA’s obligations arose solely under the terms of its BA agreement with the Covered Entity (CE) ● The BA was subject only to contractual remedies for breach of the BA agreement (BAA)
  6. 6. New Business Associate Obligations Summary of BA Obligations Under Omnibus Final Rule ● Direct compliance with all requirements of the HIPAA ● ● ● ● ● Security Rule Directly liable for impermissible uses and disclosures of PHI under HIPAA Provide CE with notice of breach in accordance with the Breach Notification Rule Required to provide access to a copy of electronic PHI to the CE (or the individual) Provide PHI where required by the Secretary to investigate the BA’s compliance with HIPAA Provide an accounting of disclosures as required by HITECH (Final Rule Pending)
  7. 7. New Business Associate Obligations BA Security Rule Compliance and Oversight ● The Omnibus Final Rule requires BAs to comply with the HIPAA Security Rule’s requirements and implement policies and procedures in the same manner as a CE ● Requires BA to implement: ● Administrative ● Physical, and ● Technical Safeguards in compliance with the HIPAA Security Rule (most BA agreements require this by contact) ● Compliance date under the Omnibus Final Rule – 9/23/13
  8. 8. New Business Associate Obligations BA Security Rule Compliance and Oversight (Cont’d) ● BAs must conduct a risk assessment and be more ● ● ● proactive and diligent to monitor new rules, regulations and guidance Large BAs may already have a comprehensive security compliance program Smaller BAs, particularly those that are not exclusively dedicated to the healthcare industry, may have a lot of work to do The good news – the Security Rule reflects prudent risk management practices and flexible standards
  9. 9. New Business Associate Obligations BA Privacy Rule Limited to HITECH Changes ● The HITECH Act does not impose ALL Privacy Rule obligations upon a BA ● BAs are subject to direct enforcement of HIPAA Privacy obligations and penalties in the same manner as a CE, BUT only to the extent required under HITECH – not all the HIPAA Privacy Rule obligations
  10. 10. New Business Associate Obligations BA Privacy Rule Impacts ● Disclosure of Protected Health Information (PHI) must be ● kept to limited data set or minimum necessary ● ● ● Health Provider must honor a request by any individual to restrict disclosure of PHI to Health Plan if individual pays for service out-of-pocket in full Individual has a right to a copy of PHI in electronic format Sale of PHI prohibited unless authorized by individual Certain marketing communications require authorizations ● extent applicable to BA’s access to PHI on behalf of CE Compliance date under Omnibus Final Rule – 9/23/13 ● BA must comply with all the above requirements to the
  11. 11. New Business Associate Obligations BAs and Breach Notification ● BA must notify CE in the event of a breach of unsecured ● ● ● ● PHI Notice must be made without unreasonable delay and not more than 60 days from when the breach was discovered (CEs typically seek to shorten this time) Discovery is when BA knew or “should have known” Breach Notice to CE must identify the individuals whose PHI was involved in the breach BA must provide any other available information that the CE is required to provide in its notice to individuals
  12. 12. New Business Associate Obligations BA Agreements (BAA)s Required Provisions ● Omnibus Final Rule clarified the required HITECH Act Provisions: ● BA required to comply with ALL HIPAA Security Rule obligations ● BA must report to CE any breach or unsecured PHI as required by the Breach Notification Rule ● BA must enter into BAAs with sub-contactors imposing the same obligations that apply to the BA ● BA must comply with the HIPAA Privacy Rule to the extent the BA is carrying out a CE’s obligations under the HIPA Privacy Rule
  13. 13. New Business Associate Obligations BAAs Implementation Timeline ● For HIPAA compliant BAAs executed prior to publication of the Final Rule (1/25/2013) – Entities may have up to 1 additional year beyond the 9/23/2013 Compliance Date ● BAAs executed PRIOR to 1/25/2013 that are not set to terminate or renew before 9/23/2013 – These must be compliant by the earlier of the renewal date or 9/22/2014 ● For new BAAs executed AFTER 1/25/2013 or existing BAAs scheduled to be renewed before 9/23/2013 – These must be compliant by 9/23/2013
  14. 14. New Business Associate Obligations Preparing to Amend BA Agreements ● Evaluate your own identity: Are you a BA? Are you a CE? ● Prepare to engage business partners by creating a list of all ● ● ● ● contracted entities and assess whether PHI is involved Do you currently have BAAs in place? If not, are they needed? Engage legal counsel to review your standard BAA against HITECH and the Omnibus Final Rule and draft any needed updates based on required provisions and organizational needs/risks Educate yourself on all HIPAA and HITECH requirements and BAA required provisions and monitor Office for Civil Rights (OCR) closely for additional regulatory publications and announcements OCR maintains sample BAA provisions on its website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coverede ntities/contractprov.html (updated 1/25/2013)
  15. 15. New Business Associate Obligations Agency Relationship Considerations ● The Omnibus Final Rule makes clear that a CE is liable ● ● for the acts or omissions of its BA acting within the scope of “agency” BAs are likewise liable for the acts or omissions of its Subcontractor acting within the scope of “agency” This means: ● An entity can be penalized for its agent’s violations ● Knowledge by the agent will be imputed to the principal (e.g., knowledge of a breach or other violation) ● Federal common law of Agency will govern whether an agency relationship exists between the parties regardless of what the contract actually says
  16. 16. New Business Associate Obligations Agency Relationship Considerations ● ● Whether an agency relationship exists will depend on the right or authority of the CE to control the BAs conduct and performance based on the right to give interim instructions Agency Consideration Factors ● The time, place and purpose of the BAs conduct ● Whether the BA engaged in a course of conduct subject to ● ● ● (Cont’d) control by the CE Whether the BA’s conduct is commonly done by a BA Whether or not the CE reasonably expected that a BA would engage in the conduct in question This will be a fact-specific analysis and in some cases an agency relationship may exist simply based on the nature of the relationship between the CE and BA
  17. 17. New Business Associate Obligations Liability for Agents ● ● ● CE is liable for acts of agents within the scope of agency ● Includes members of workforces ● Includes agents who are business associates regardless of whether BA contract is in place BA is also liable for acts of agents within the scope of agency ● Workforce ● Agents who are subcontractor business associates Fact specific: taking into account ● Business associate contract and ● Totality of circumstances of relationship ● Does the CE have authority to provide interim instructions or directions?
  18. 18. New Business Associate Obligations BAs: Evaluate HIPAA Security Rule Compliance ● Review OCR Security Rule Guidance at ● National Institute of Standards and Technology (NIST) Special Publication (SP) 800-66 is another good resource Conduct a HIPAA Security Risk Assessment ● http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/s ecurityruleguidance.html ● This will help identify areas of vulnerability and threats against ● ● existing controls and actions to address NIST SP 800-30 is a good place to start NIST Security Risk Assessment Toolkit; download free at http://scap.nist.gov/hipaa/ ● NIST SPs available at: ● Review OCR Enforcement Audit Protocol at http://csrc.nist.gov/publications/PubsSPs.html http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol. html
  19. 19. Breach Notification ● HITECH Act: First federal law mandating breach notification for the health care industry; applies to: ● ● ● ● Covered Entities Business Associates Personal Health Records (PHR) vendors, and PHR service providers ● Federal Trade Commission (FTC) regulates PHRs ● Health and Human Services (HHS) regulations CEs and BAs
  20. 20. Breach Notification Remember State Law ● 46 states (plus DC, Puerto Rico, and the Virgin Islands) have notification laws ● Evaluate state law as well as the Omnibus Rule requirements: ● Trigger ● Timing ● Content ● Recipients
  21. 21. Data Breach Notification Overview ● Upon discovery of a ● Breach of ● Unsecured ● Protected Health Information (PHI) ● Covered Entities and Business Associates must make notifications ● Subject to certain exceptions
  22. 22. Definition of Breach ● Breach of ● Unauthorized acquisition, access, use disclosure of unsecured PHI ● In a manner not permitted by the HIPAA Privacy Rule ● That compromises the security or privacy of PHI ● So far so good, but …
  23. 23. Omnibus Final Rule Presumption ● An impermissible acquisition, access, use disclosure of unsecured PHI is ● Presumed to be a reportable breach ● UNLESS the entity demonstrates that there is a low probability that the PHI has been compromised (lo pro co) ● Compromise is not defined by the HIPAA Rules; from the preamble: “inappropriately viewed, re-identified, re-disclosed, or otherwise misused”
  24. 24. Breach Risk Assessment ● A documented risk assessment needs to demonstrates that there is a low probability that the PHI has been compromised ● Four mandatory factors: ● ● ● ● What PHI: Nature and extent of PHI involved Who: The unauthorized person who used the PHI or to whom the disclosure was made Acquired: Whether the PHI actually was acquired or viewed Mitigation: The extent to which the risk to the PHI has been mitigated ● Other factors may be considered – Evaluation of overall probability
  25. 25. Breach Risk Assessment ● Risk Assessment must be: ● Thorough ● Completed in good faith ● Have reasonable conclusions ● Discretion to provide notification without performing risk assessment
  26. 26. Lose an Exception ● Unauthorized person not reasonably have been able to retain PHI ● Certain good faith or inadvertent access by or disclosures to workforce in same organization ● De-identified information does not pose risk of harm ● Limited data sets without birth dates and zip codes
  27. 27. Timing of Notice ● Notification must be made “without unreasonable delay” ● No more than 60 days after discovery ● Subject to law enforcement delay
  28. 28. Discovery ● “Discovery” of a breach occurs when: ● Entity has actual knowledge of a breach including through a workforce member or agent (but not person committing the breach) or ● Using reasonable diligence, entity would have known of the breach ● Remember: agency is based on federal common law
  29. 29. Contents of Notice to Individuals ●Notices must contain: ● Brief description of what occurred ● Description of types of unsecured PHI involved (e.g., name, SSN, DOB, address) but not the actual PHI ● Steps individuals should take to protect themselves ● Brief description of what Covered Entity is doing to investigate the breach, mitigate the damage, and protect against further breaches ● Contact information for questions
  30. 30. Breach Notification ● Covered Entity to notify affected individuals ● Written notice ● Substitute notice ● Covered Entity to notify HHS ● Timing depends on the size of the breach ● ● 500 or more = contemporaneous notification Small breaches (<500) = annual notification ● Within 60 days of the end of the calendar year in which the breach was discovered (not occurred) ● Covered Entity may have to notify media if more than 500 residents in a State affected ● Business Associates to notify Covered Entity
  31. 31. Practical Steps ● Revise breach notification policies and procedures ● Security Risk Analysis – revisit (or do) ● Develop or revisit Security Incident Response Plan ● Pay special attention to portable media and personal devices ● Train entire workforce ● ● ● Avoidance Alert to potential breaches Response to breach
  32. 32. Practical Steps ● Prepare incident response team ● Be ready to respond to news media attention – have a designated spokesperson ● Consider tightening Business Associate Agreements, particularly for agents ● Encryption! Make the most of the encryption safe harbor, and Verify document destruction ● National Institute of Standards and Technology (NIST) Guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals ● Audit access to PHI and enforce policies
  33. 33. GINA ● Genetic Information: broadly defined to include manifestation of a disease or disorder in a family member of an individual in addition of genetic tests of individuals and family members and receipt if genetic services ● A Health Plan that uses or discloses PHI for underwriting purposes must revise its NPP stating that it will not use or disclose genetic information for such purposes ● Health Plan definition has also been revised; HHS has exercised its authority to expand GINA to include all Health Plans except for Long Term Care Health Plans
  34. 34. Increased Enforcement ● HITECH Act significantly strengthened HIPAA Enforcement ● Interim Final Rule of October 2009 ● Created 4 categories of culpability with corresponding penalties ● Took effect immediately ● Omnibus Rule = Final Enforcement Rule ● Enforcement Rule applies to Covered Entities and Business Associates
  35. 35. Increased Enforcement ● Focus on Willful Neglect ● Willful Neglect: conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA ● OCR will investigate all cases of possible neglect ● OCR will impose penalty on all violations due to willful neglect
  36. 36. Increased Enforcement Violation Category Each Valuation All Identical Violations for Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1000 - $50,000 $1,500,000 Willful Neglect – corrected in 30 days $10,000 - $50,000 $1,500,000 Willful Neglect – not corrected $50,000 $1,500,000 Limits are per type of violation, e.g., four types of continuous violations over three years could equal $18 million
  37. 37. What to Do Now! ● Create a Culture of Compliance ● OCR aggressively enforcing the HIPAA Privacy, Breach and Security Rules ● OCR suggests that Covered Entities and Business Associates should have a robust HIPAA Privacy and Security Compliance Program, including: ● Employee Training ● Vigilant implementation of policies and ● ● procedures A prompt plan to respond to incidents and breaches Regular internal audits
  38. 38. Sample Fines • CVS: Privacy, $2.25M, 2009: Complaint • Cignet: Privacy, $4.3 M, 2011: CMP, Complaint • Phoenix Cardiac Surgery: Privacy & Security $100K, 2012: OCR Audit • MEEI: Security, $1.5M, 2012: Self Reported Breach • BCBS Tennessee, $1.5M, 2012: Self Reported Breach • Alaska Medicaid, Security, $1.7 M, 2012: Self Reported Breach • Hospice of North Idaho, Security, $50,000, 2013: Self Reported Breach of less than 500 • PLUS Onerous Corrective Action Plans
  39. 39. QUESTIONS Susan A. Miller, JD TMSAM@aol.com (O) 978-3692092 (C) 978-505-5660 Thank You!