Medical Records Seminar


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Medical Records Seminar

  1. 1. Welcome! Richard E. Nell Jesse A. Berg Nell & Associates, S.C. Gray Plant Mooty Jesse.berg@gpmlaw.comThe health care facet of our group Jesse counsels health care providersfocuses on contract drafting, review and on federal and state anti kickbacknegotiation, as well as entity formation laws, the Stark physician self-and regulatory compliance. Our practice referral law, Medicare and Medicaidencompasses all of the laws and reimbursement, enrollment andregulations affecting the business of participation issues, HIPAA andhealth care and HIPAA including Civil state privacy and confidentialityMonetary Penalties, EMTALA including matters, as well as federal and statedefense of EMTALA proceedings, NPDB, antitrust issues. Jesse provides legaltax exempt issues, practice management, guidance to a variety of differentprofessional licensure and medical staff types of health care providers. 1issues.
  2. 2. Background on HIPAA and HITECH:Privacy and Security Regulations and the Status of HITECH Regulations Lorman Education Services: Medical Records Law March 23, 2012 Richard E. Nell Nell & Associates, S.C. 2 Jesse A. Berg Gray Plant & Mooty
  3. 3. Key Changes Under HITECH• Breach notification• Business associates subject to privacy, security rules• Accounting of Disclosure requirements• Access to PHI kept in EHR• Minimum Necessary Rule• Request for Restrictions on Disclosures• Disclosures for Marketing• Fundraising• Sale of PHI• HHS investigations and penalties required for cases involving willful neglect• State attorneys general authorized to sue for HIPAA violations• Adversely affected parties can recover a percentage of civil monetary penalties or settlements 3
  4. 4. Effective Dates of Key HITECH Provisions 2009 2010Feb. 17 Feb. 17 – CMPs applicable to BAs – BA contracts required for certain – State AGO enforcement entitiesAug. 24 – BA’s security obligations – Notification of breach interim – BA’s privacy obligations regulations – Access to information in electronic formatSep. 23 – Request on restrictions for PHI – Effective Date of Breach disclosures to plans when payment is Notification regulations out of pocket – Conditions on certain communication 2011 as part of health care operationsJan. 1 Aug. 17 – Accounting for EHR disclosures – Guidance on minimum necessary rule (if EHR acquired after 1/1/09) – Proposed regulations on prohibitionFeb. 17 on sale of EHRs or PHI – Effective date for final regulations Sep. 17 on sale of EHRs or PHI – Criminal willful neglect regulations – Criminal willful neglect effective 2014 Jan 1 – Accounting for EHR disclosures (if EHR acquired as of 1/1/09) 4
  5. 5. HITECH Developments: where are we now?• HITECH Act (Feb. 17, 2009)• Breach Notification Interim Final Rule (74 FR 42740, Aug. 2009) – Effective Sep. 23, 2009• HITECH Enforcement Interim Final Rule (74 FR 56123, Oct. 2009) – Effective Nov. 30, 2009• HITECH Proposed Rule (July 2010) – Addresses HIPAA Privacy, Security & Enforcement Rules 5
  6. 6. Overview of Proposed Regulations• Dates: • Content: – Published July 14, 2010 – Business associates (75 Fed. Reg. 40,868) – Enforcement – Deadline for submitting – Electronic access comments was – Marketing September 13, 2010 – Fundraising – Unless otherwise indicated, compliance – Sale of PHI date is 180 days after – Right to request restrictions publication of Final Rule – Minimum necessary – Later date for revising – Notice of privacy practices BA contracts – Research authorizations – Student immunization records – Decedent information 6
  7. 7. Modifications to Privacy, Security and Enforcement Rules• Proposed modifications included: – Require BAs to be subject to Security Rule and parts of Privacy Rule • Written agreements between BAs and subcontractors – Issue of whether amendments to BA contracts with Covered Entities is required – New limitations on use and disclosure of PHI for marketing, fundraising – Individual rights (access, requesting restrictions, notice of privacy practices) – HHS sought guidance on “minimum necessary” 7
  8. 8. Modifications to Privacy,Security and Enforcement Rules• Proposed regulations (July 14, 2010) – Comment period closed on Sep. 13, 2010 – No final rule to date, which means regulations remain nonbinding• HHS has indicated it will be issuing an “omnibus” HIPAA rule – Addressing penalties, breach notification and issues from the July 2010 proposal 8
  9. 9. HIPAA Enforcement: A Perfect Storm• Why? – Increased regulation and greater complexity • HITECH and HIPAA • State laws – Increasing volumes and types of information • EHRs • Mobile devices and locations • Social media • Online treatment options – Increasing enforcement • Enhanced penalties • Aggressive regulators 9
  10. 10. HITECH Act• Required Covered Entities to provide accounting of disclosures from an electronic health record to carry out treatment, payment and health care operations• May 3, 2010: HHS issues request for information for HITECH AOD standard 10
  11. 11. ACCOUNTING OF DISCLOSURESCurrent Rule:• Accounting of disclosures is required in only a limited number of instances –• Accounting of disclosures not required for disclosures for Treatment, Payment or Health Care Operations 11
  12. 12. ACCOUNTING OF DISCLOSURES• Under HITECH, CEs and BAs will need to account for TPO disclosures if they use an EHR: – CEs that have EHR before 1/1/09 not bound until 2014 – CEs that acquire EHR after 1/1/09 bound on 1/1/11 – Applies to 3 years prior to date on which accounting requested – HHS can postpone compliance dates for two years 12
  13. 13. Proposed AOD Regulations• Issued May 31, 2011; comments accepted through Aug 1, 2011 – 76 Fed. Reg. 31426 (May 31, 2011)• Key components: – Created broad new access report right – Limited current AOD right• Effective Dates – Access reports on 1/1/13 or 1/1/14 – AOD requirement 240 days after final regulations published 13
  14. 14. Right to AOD• Scope of information subject to accounting is information in designated record set (DRS)• Proposal would require the CE to include the disclosures of its BAs in the accounting.• Reduces the accounting period to disclosures occurring during the previous 3 years, rather than 6 years. 14
  15. 15. Right to AOD• Provides a list of the types of disclosures subject to the accounting: – Public health – Judicial and administrative proceedings – Law enforcement – Avert threat to health/safety – Military and veterans activities – Dept. of state – Government programs providing public benefits – Workers compensation – Impermissible disclosures, unless constitutes a breach. 15
  16. 16. Right to AOD• Modifies elements of the existing content requirements: – An explanation of the type of PHI disclosed, instead of a brief description of the PHI disclosed – A description of the purpose, instead of a statement of the purpose, in an effort to clarify that only a “minimum description is required if it reasonably informs the individual of the purpose.” – Gives individuals the option to limit their accounting to either a particular time period, type of disclosure or recipient. 16
  17. 17. Access Report• Covered entities required to provide an individual with an “access report” identifying who has accessed the individual’s electronic designated record set information.• Access right does not extend to paper records. 17
  18. 18. Access Report• Two major differences from HITECH Act statutory provisions: – Provides an individual with the right to be informed of all persons who have accessed their record • Regardless of whether the information was actually disclosed to someone outside of the entity’s workforce. – Creates a new right to receive an access report with respect to the designated record set maintained by all covered entities, regardless of whether those entities have implemented EHRs. • HITECH provided for accounting of disclosures from EHRs 18
  19. 19. Access Report• HHS: new access right would not impose an unreasonable burden on covered entities• HHS: under HIPAA Security Rule, electronic systems with designated record set information should currently be creating access logs with sufficient information to create an access report 19
  20. 20. Access Report• Report must include the following elements: – date of the access – time of the access; – name of the individual, if available, or otherwise the name of the entity who accessed the information – description of what information was accessed, if available – description of the action by the user, if available• Electronic DRS information will often reside on a number of distinct systems with separate access logs. HHS expects covered entities to aggregate that data into a single access report. 20
  21. 21. Access Report• 30 day timeline for providing the access report• Within the 30 day period, a covered entity also would need to include the access logs of its business associates that create, receive, maintain or transmit electronic designated record set information. 21
  22. 22. Access Report• Covered entity would need to provide an individual with a notice of privacy practices that contains a statement of the individual’s right to receive both an accounting of disclosures of PHI and an access report.• Because the access report requirement is new, it would require an amendment to existing privacy notices.• Other changes to NPP as HITECH regulations are finalized? 22
  23. 23. Right to AOD• Provision of an accounting of disclosures: – Timeframe for responding to an accounting request decreased to 30 days – Must provide individuals with the accounting in the form (e.g. paper or electronic) and format (i.e., compatible with a specific software application) requested by the individual, if readily producible – May require the individual to submit the accounting request in writing (which includes electronic requests) • Covered entity informs individuals of this requirement. 23
  24. 24. Problems with Proposed Regulations• HHS recognizes that EHRs do not have technical capacity to allow HITECH accountings• HHS believes HIPAA Security Rule already requires all access report information already to be tracked• Fundamental “re-thinking” of regulators’ interpretation of Security Rule?• Is this a reasonable burden to place on covered entities?• What is the patient interest being advanced? 24
  25. 25. Minimum Necessary• HITECH section 13405(b): Covered entity must limit PHI, to extent practicable, to limited data set, or, if necessary, to minimum necessary. HHS to issue guidance on what constitutes minimum necessary (at which time provision sunsets).• HHS asked for comment on what guidance would be helpful to covered entities and BAs• No change to current regulation 25
  26. 26. Electronic Access to PHI• For ePHI, covered entity must provide electronic access: – In form and format requested by individual, if readily producible, otherwise – Readable electronic form and format as agreed to by CE and individual• Must provide copy to individual’s designee: – Request must be in writing – Must clearly identify designated person 26
  27. 27. Electronic Access to PHI• Covered entity may charge for: – Labor • Time attributable to reviewing request and producing copy – Cost of electronic media • CD, USB drive, or similar portable media/device • Can’t charge for access through portal, e-mail, or PHR• BA must provide PHI to covered entity, individual, or individual’s designee as set forth in BA agreement 27 27
  28. 28. MARKETING• Current rule: certain marketing-type activities are exempted from definition of “marketing” and are considered as part of treatment or healthcare operations• Under HITECH, authorization is required for such disclosures if the CE receives direct or indirect payment in connection with the communication• Effective Feb. 17, 2010 28
  29. 29. HITECH Audit Program• HITECH required HHS to conduct periodic audits of Covered Entities & Business Associates• 2 contracts (June, July 2011) with Booz Allen Hamilton and KPMG to engage in audits – Booz to identify “audit candidate information” – KPMG to develop audit protocol and conduct audits• Audits to conclude by Dec. 31, 2012 29
  30. 30. HITECH Audit Program• Audits to include – Site visit (interview with CIO, legal counsel, HIM/medical records director, other leaders) • Examination of physical features, operations and adherence to policies – Audit report: • Best practices noted; instances of noncompliance • Raw data (completed checklists, interview notes) • Recommendations for actions to address compliance problems • Recommendations to HHS for corrective action 30
  31. 31. Right to Request Restrictions• Covered entity must agree to individual’s request to restrict disclosure of PHI to health plan if: – PHI pertains solely to health care for which individual (or person on behalf of individual other than health plan) has paid covered entity in full out of pocket – Disclosure is for payment or health care operations purposes and not required by other law 31
  32. 32. Right to Request Restrictions• Covered entity cannot require individual to pay out of pocket for all services if individual wishes to restrict disclosures regarding only certain services• If individual’s payment not honored, and payment issue cannot otherwise be resolved with individual, covered entity may submit PHI to health plan for payment• HHS asked for public comment on various operational issues 32
  33. 33. Notice of Privacy Practices• Changes to NPPs – Statement regarding sale of PHI and other purposes that require authorization – Statement regarding subsidized treatment communications, if applicable, and that individual can opt out – Statement regarding fundraising communications, including that individual can opt out – Statement that covered entity must agree to restrict disclosure to health plan if individual pays out of pocket in full for health care service 33
  34. 34. Notice of Privacy Practices• HHS requested comment: – Include specific statement on breach notification? – Options for health plans to distribute revised NPP • In next annual mailing to enrollees • Extension or waiver of current 60-day deadline • Retain 60-day deadline • Others? 34
  35. 35. Research Authorizations• Covered entity can use one authorization form for use and disclosure of PHI in clinical trial and for PHI to be placed into repository (biospecimen storage)• Requested comment on amount of specificity about future research uses needed in authorization – Do authorizations have to be research specific? 35
  36. 36. Student Immunization Records• Covered entity may disclose proof of immunization of child to schools in States with school entry laws – Written authorization not required – Need prior oral or written agreement from parent 36
  37. 37. Decedent Information• Decedent’s information is no longer PHI after 50-year period – Request for comment on proposal of 50 years• Covered entity may disclose decedent’s PHI to family members and others who were involved in care/payment for care of decedent prior to death, unless inconsistent with prior expressed preference 37
  38. 38. Future HHS/OCR HITECH Activities• Accounting of Disclosures Final Rule• Reports to Congress on Compliance, Breach Notification• HIPAA Audit Program• State Attorneys General Enforcement• Minimum Necessary Guidance• De-identification Guidance• Final Rules on HITECH, Breach Notification, Enforcement 38
  39. 39. Overview of HIPAA Privacy Rule: Application, Patient Access Rights and Restrictions Lorman Education Services: Medical Records Law March 23, 2012 Richard E. Nell Nell & Associates, S.C. 39 Jesse A. Berg Gray Plant & Mooty
  40. 40. The Privacy Rule• The Privacy Rule Does Not Preempt State Law Where the Provision of State Law Relates to the Privacy of Health Information and Is Contrary to and More Stringent Than a Provision of the Privacy Rule 40
  41. 41. The Privacy Rule• The Privacy Rule Also Does Not Preempt: – State Laws That Provide for the Reporting of Disease or Injury, Child Abuse, Birth or Death, or for the Conduct of Public Health Surveillance Investigation or Intervention; – State Laws That Require a Health Plan to Report, or to Provide Access to Information, for the Purpose of Management or Financial Audits, Program Monitoring and Evaluation, Licensing, and Related Issues; – Laws That the Secretary of HHS Has Determined Should Not Be Preempted 41
  42. 42. Covered Entities• Health Plans• Group Health Plans• Health Care Clearinghouses• Health Care Providers Who Engage in Electronic Transactions 42
  43. 43. Health Plans• Individual or Group Plan That Pays for the Cost of Medical Care, Includes: – Health Insurance Issuer – HMO – Medicare – Medicaid – Medicare Supplement Policy 43
  44. 44. Health Plans• Long Term Care Policies (Excluding Nursing Home Fixed Indemnity)• Employee Welfare Benefit Plan• Health Care Program for Active Military• Veteran’s Health Program• CHAMPUS• Indian Health Service Program 44
  45. 45. Health Plans• Federal Employees Health Benefits Program• SCHIP• Medicare+Choice• High Risk Pool• Any Other Individual or Group Plan or Combination 45
  46. 46. Health Plans• Excluded From Health Plans: – Policy, Plan, or Program to Extent it Provides or Pays for Benefits Excepted Under the PHS Act – A Government Funded Program (Other Than Those Listed) Whose Principal Purpose is Other Than Providing or Paying for Health Care or Direct Provision or Grants – Workers Compensation, Automobile, Property and Casualty Insurance 46
  47. 47. Group Health Plans• How Most Employers Will Get Pulled Into HIPAA• Employee Welfare Benefit Plan (ERISA) – Possibly Include Flex Plans, FSAs• Insured and Self-Insured Plans• To Extent Plan Provides Medical Care to Employees or Participants – 50 or More Participants OR – Administered by Third Party 47
  48. 48. Health Care Clearinghouse• Public or Private Entity Including: – Billing Service – Community Health Management Information System – Community Health Information System 48
  49. 49. Health Care Clearinghouse• Does Either of the Following: – Processes Health Information From Another Entity in Non-Standard Format or Non- Standard Data into Standard Data Elements or Standard Transaction; OR – Vice-Versa 49
  50. 50. Health Care Provider• Provider of Services• Provider of Medical or Health Services• Provider of Health Care 50
  51. 51. Health Care Provider• Provider of Services – Hospital – Critical Access Hospital – Skilled Nursing Facility – Outpatient Rehab Facility – Home Health Agency – Hospice Program 51
  52. 52. Health Care Provider• Provider of Medical Services – Physician Services – Hospital Services – Diagnostic Services – Outpatient PT Services – Outpatient OT Services – Rural Health Clinic Services – Home Dialysis Supplies and Equipment 52
  53. 53. Health Care Provider• Provider of Medical Services Continued: – Self-Care Home Dialysis Support Services – Physician Assistant Services – Nurse Practitioner Services – Certified Nurse Midwife Services – Psychological Services – Clinical Social Worker Services – X-Ray Services 53
  54. 54. Health Care Provider• Provider of Medical Services Continued: – DME – Ambulance Services – Prosthetic Devices – Certified Nurse Anesthetist Services – Other Services, Which if Provided by Physician, Would be Considered Physician Services 54
  55. 55. Health Care Provider• Only Health Care Providers Who Transmit Health Information in Electronic Form in Connection With a Transaction, Are Covered• Electronic Does Not Include Facsimile 55
  56. 56. Health Care Provider• Transaction Means – Transmission Between Two Parties to Carry Out Financial or Administrative Activities – Includes • Health Care Claims • Health Care Payment and Remittance Advice • Coordination of Benefits • Enrollment and Disenrollment • Referral Certification 56
  57. 57. HIPAA and Employers• Only Certain Health Care Providers, Health Plans, and Health Care Clearinghouses Are Covered Entities• Employers Not Generally Covered Unless Fall Under Above Definitions• Caveat: Medical Information Provided to Employers and Employer Sponsored Group Health Plans 57
  58. 58. What is Covered• Protected Health Information – Also Known as “PHI” – Individually Identifiable Health Information – Transmitted Electronically – Maintained in any Media Described Under HIPAA – Transmitted or Maintained in ANY OTHER FORM 58
  59. 59. Protected Health Information• Individually Identifiable Health Information – Relates to Past, Present, or Future Physical or Mental Health or Condition of an Individual – Provision of Health Care to Individual – Past, Present, or Future Payment for Health Care to an Individual – That Identifies the Individual, or – Reasonably Used to Identify 59
  60. 60. Protected Health Information• Excludes – Education Records Under FERPA – Certain Other Records Defined Under FERPA – Employment Records Held by a Covered Entity in Capacity as Employer 60
  61. 61. Employment Records and PHI• Definition of Protected Health Information (“PHI”) Specifically Excludes: – Employment Records Held by a Covered Entity in its Role as Employer • 45 C.F.R. § 165.501• Example: Drug Testing or Fitness for Duty – Must be Provided to CE in Capacity as Employer – If Conducting Testing, Must Get Authorization to Transmit to HR• Example: Professional Sports Teams’ Player Information 61
  62. 62. Personal Rights• Overview – Covered Entities Must Grant Certain Rights to Individuals – Informational Forms and Means of Access and Accounting 62
  63. 63. Notice of Privacy Practices• Covered Entity Must Provide Notice of Uses and Disclosures of PHI• Not Directly Applicable to Group Health Plans 63
  64. 64. Notice of Privacy Practices• Not Applicable to Inmates or Correctional Facilities• Content – Written – Plain Language – No Prescribed Font Size 64
  65. 65. Notice of Privacy Practices• Elements – Header – Prominent, All Capital Letters – Description of Uses and Disclosures • TPO • Other Purposes Without Authorization • Must Reflect More Stringent State Law • Those Disclosures Requiring Authorization • Right to Revoke Authorization 65
  66. 66. Notice of Privacy Practices• Specific Uses or Disclosures – Appointment Reminders – Treatment Alternatives – Fundraising – Group Plan Disclosure to Plan Sponsor – Marketing, per Restrictions – Health-Related Benefits/Communications 66
  67. 67. Notice of Privacy Practices• Individual Rights – Right to Request Restrictions – Right to Receive Confidential Communications – Right to Access – Right to Amend – Right to Accounting – Right to Copy of Notice 67
  68. 68. Notice of Privacy Practices• Covered Entity’s Duties – Required by Law to Maintain Confidential – Required to Abide by Notice – May Only Change Privacy Practices Through Revised Notice• Complaint Process – Internal and DHHS• Contact – Privacy Officer• Effective Date 68
  69. 69. Notice of Privacy Practices• Optional Elements – Covered Entity May Further Restrict Use or Disclosure – No Restriction on Legally-Required Disclosures• Revise – Covered Entity Must Promptly Revise and Distribute if Material Change 69
  70. 70. Notice of Privacy Practices• Providing Notice – Health Plans • No Later than Compliance Date • To New Enrollees at Time of Enrollment • Within 60 Days of Revision • At Least Once per Three Years • Provided to Named Insured Only 70
  71. 71. Notice of Privacy Practices• Health Care Providers – Direct Treatment Relationship – Date of First Service on or After April 14, 2003 – In Emergency, May Provide When Reasonably Practicable – Good Faith Effort to Obtain Written Acknowledgment (Non-Emergency) – Document Failed Attempts 71
  72. 72. Notice of Privacy Practices• Electronic Notice – If Maintain Website, Must Post – If Requested, Provide Notice via Email – If Failed, or if Requests, Must Provide Paper Copy – Good Faith Effort Must be Documented 72
  73. 73. Notice of Privacy Practices• Joint Notice – OHCA – All Covered Entities Must Abide by – Joint Notice Contains Elements Listed Above – States Entities in OHCA May Share PHI – OHCA Entities Now Provide the Notice – Entities Must Document Compliance 73
  74. 74. Notice of Privacy Practices• Changes to Privacy Practices – Notice Must be Revised – Revised Notice Available to Individuals – No Changes Prior to Effective Date of Notice – If Not Reserved Right to Change, Covered Entity Bound for All Prior PHI Received – If Not Reserved, Change Only if • Meets Requirements Above • Effective Only as to PHI Created/Received After Date 74
  75. 75. ACCESS TO PHI• Effective Feb. 17, 2010 - CE which maintains an EHR is required: – To produce a copy of such PHI in electronic format upon individual’s request – To transmit an electronic copy directly to an entity designated by the individual if request is clear and specific – Fees for this may not be greater than CE’s labor costs in responding to the request for the copy 75
  76. 76. Access to PHI• Individual Has Right of Access and Inspection• No Right to Psychotherapy Notes, Information Compiled for Legal Proceeding, or Exempt Under CLIA• May Deny Without Review if For Above, if For Inmate, if During Research, if Under Privacy Act, or if Obtained From Another Party• Access to “Designated Record Set” 76
  77. 77. Right of Access• Must Provide Review if Refused Due to Endangerment, Due to Mention Another Person, or if Access by Personal Representative a Danger• Response to Request Within 30 Days + 30 Day Extension• If Reasonable, Must be in Requested Format or Summary if Acceptable; Cost- based Fee 77
  78. 78. Denial of Access• Provide Access to Non-Objectionable PHI• Written Denial, in Plain Language, of Basis and Complaint Process• Notify Individual of Location if Not With Covered Entity 78
  79. 79. Right to Amendment• Individual May Request Amendment to PHI• Covered Entity May Deny if Not Its Record, Not Available for Access, or if Accurate• Covered Entity May Require That in Writing and Provide Reason• 60 Day Time Limit + 30 Day Extension 79
  80. 80. Acceptance of Amendment• Covered Entity Must Amend/Append Record• Covered Entity Must Notify Individual• Covered Entity Must Notify Third Parties and Business Associates of Amendment 80
  81. 81. Denial of Amendment• Must Provide Individual With Written Denial• Provide Individual Right to Submit Statement in Disagreement• Copies Sent Out to Third Parties• Covered Entity May Submit Rebuttal Statement 81
  82. 82. Current Accounting of Disclosures Rule• Individual has right to receive an accounting of disclosures of PHI by Covered Entity or its Business Associate up to 6 years prior to the the request• CEs and BAs required to track PHI disclosures that fall under accounting rule: – Date – Name of recipient of PHI (Address, if available) – Brief description of PHI – Purpose of the disclosure 82
  83. 83. Current Accounting of Disclosures Rule• No tracking required: – For treatment – For payment – For healthcare operations – Incidental to permitted disclosures – Disclosures under an authorization 83
  84. 84. Current Accounting of Disclosures Rule• No tracking required: – For the facility’s directory – To persons involved in the individual’s care – For national security or intelligence purposes – To law enforcement officials or correctional institutions about an inmate 84
  85. 85. Current Accounting of Disclosures Rule:• No tracking required: – As part of a limited data set, or information that has been de-identified – Made prior to April 14, 2003 – Made more than 6 years prior to the date of the request 85
  86. 86. Current Accounting of Disclosures Rule• Tracking required: – To the Secretary of DHHS – Required by law (e.g., mandated reporting under state law) – For public health activities/reporting – About victims of abuse, neglect or domestic violence – For health oversight activities (e.g., licensure actions) 86
  87. 87. Current Accounting of Disclosures Rule• Tracking required: – In response to a court order – In response to a subpoena or discovery request – For law enforcement – To a medical examiner or funeral director, or for cadaveric organ donations – For research where authorization is not required 87
  88. 88. Suspension of Accounting• Temporarily Suspend Accounting if Health Oversight Agency or Law Enforcement Official Provides Statement• If in Writing, for as Long as Specified• If Orally, for 30 Days 88
  89. 89. Providing the Accounting• Date of Disclosure• Name of Party Receiving• Description of PHI• Brief Statement of Purpose for Disclosure or Copy of the Request• 60 Day Time Limit + 30 Day Extension 89
  90. 90. Request for Restriction on Use or Disclosure of PHI• Request for Restrictions on Any Aspect• Covered Entity Need Not Comply with Request• If Agree, Then may Not Disclose Except in Emergency – Even Then, Must Obtain Assurance from Recipient That Will Not Further Disclose – Not a Bar to Disclosures for Facility Directory (Unless Otherwise Objects) or for Other Legally-Required Disclosures• May Terminate Orally if Documented and Post- PHI Only 90
  91. 91. RESTRICTIONS ON DISCLOSURES• Effective Feb. 17, 2010, CE must agree to requested restrictions on disclosures of PHI if: • Disclosure is to health plan for purposes of carrying out payment or health care operations; and • PHI pertains solely to an item/service for which provider involved was paid out of pocket in full 91
  92. 92. Uses and Disclosures of PHI IncludingAuthorization, Business Associates, and Other Key Components Lorman Education Services: Medical Records Law March 23, 2012 Richard E. Nell Nell & Associates, S.C. 92 Jesse A. Berg Gray Plant & Mooty
  93. 93. Uses or Disclosures• Use and Disclosure for Treatment, Payment, and Health Care Operations (“TPO”) – Covered Entity Generally May Use and Disclose PHI for TPO – No Consent – Now Notice of Privacy Practices – Treatment • Use or Disclose to Any Provider – Payment • Use or Disclose Minimum Necessary to Any Other 93
  94. 94. Uses or Disclosures• Health Care Operations – Quality Assurance Activities • Quality Assessment and Guidelines, Case Mgmt. – Professional Competency Activities • Accreditation, Credentialing, Licensing – Insurance Activities • Underwriting, Premium Rating – Compliance Activities • Fraud and Abuse Compliance – Business Activities • Legal, Auditing, Business Planning, Sale of Practice 94
  95. 95. Uses or Disclosures• De-Identified Information – Not PHI – May Statistically Determine That PHI has Been De-Identified • Qualified Individual Offer Professional Conclusion • Mathematically Not Identifiable 95
  96. 96. Uses or Disclosures• De-Identified Information Safe Harbor – Names – Geographic Subdivisions – Dates – Telephone Numbers – Facsimile Numbers – Email Address – Social Security Numbers – Medical Record Numbers – Health Plans Numbers 96
  97. 97. Uses or Disclosures• De-Identified Information Safe Harbor – Account Numbers – License Numbers – Vehicle Identifiers – Device Identifiers – URLs – Internet Addresses – Biometric – Finger and Voice Prints – Facial Photographs – Etc. 97
  98. 98. PROHIBITION ON SALE OF PHI• Effective Feb. 2011- HITECH prohibits CEs, BAs from receiving ANY payment for PHI, unless individual signs authorization• Limited exceptions exist – Transfer in connection with sale or merger of CE – Transfer for treatment, public health or research activities – Providing individuals with copy of their PHI• HHS to issue regulations by Aug. 2010 98
  99. 99. Sale of PHI• Covered entity prohibited from disclosing PHI (without individual authorization) in exchange for remuneration• If authorization obtained, authorization must state that disclosure will result in remuneration• Exceptions: – Public health – Research, if remuneration limited to cost to prepare and transmit PHI – Treatment & payment 99
  100. 100. Sale of PHI• Exceptions (cont.) – Sale of business – Remuneration to BA for services rendered – Providing access or accounting to individual – Disclosure required by law – Where only remuneration received for otherwise permitted disclosure is reasonable, cost-based fee to prepare and transmit PHI or fee otherwise expressly permitted by other law 100
  101. 101. Authorization• Elements – Meaningful Description of PHI – Identify Entities or Class Disclosing – Identify Entities or Class Receiving – Purpose – Expiration Date or Event – Individual’s Rights – Revocation – Marketing = Remuneration – Dated and Signed 101
  102. 102. Authorization• Typically Cannot Condition Treatment Upon Execution• Allowed to Condition if for Third Party – Fitness for Duty, etc.• Health Plan May Condition for Underwriting or Risk Rating• Provider May Condition for Research 102
  103. 103. Authorization• Psychotherapy Notes Require• Marketing Requires• Research Typically Requires• Any Use or Disclosure Not Addressed by the Rule 103
  104. 104. Use and Disclosure of PHI• Overview – “Use” • Sharing, Employment, Application, Utilization, Examination, or Analysis of PHI Within the Covered Entity – “Disclosure” • Release, Transfer, Provision of Access to, or Divulging PHI In Any Manner Outside Covered Entity 104
  105. 105. Use and Disclosure of PHI• Mandatory Disclosures – CE Must Disclose to Individual or Personal Representative – CE Must Disclose to DHHS for Investigation 105
  106. 106. Other Uses or Disclosures Requiring Opportunity to Object• Covered Entity may Use or Disclose PHI in Limited Situations Based Upon Informal Permission• Disclose to Family Members, Relatives, Individuals Identified Who Are Involved in Care or Treatment• Use or Disclose for Facility Directory to Anyone Asking for by Name, Clergy 106
  107. 107. Opportunity to Object• Permission in Advance• No Documentation Required• If Emergency, May Disclose to Those Involved in Care, if Professional Judgment Exercised• Covered Entity May Release X-Rays, Rxs, Supplies to Person Acting on Individual’s Behalf, if Professional Judgment 107
  108. 108. Other Uses or DisclosuresWithout Opportunity to Object• Covered Entity Must Verify Identity of Requester and Authority• Where Required by Law• Public Health Activities – Reporting Disease – Reporting Vital Statistics – Reporting to FDA – Reporting to Employer – Reporting Communicable Diseases 108
  109. 109. Disclosures Without Objection• Victims of Abuse, Neglect, or Domestic Violence – Reasonably Believes and Required/Allowed by Law – No Consent or Notification From/to Individual if Danger – Notice to Personal Representative Unless Harm 109
  110. 110. Disclosures Without Objection• Health Oversight Activities – Audits – Civil or Criminal Investigations – Not Where Individual’s Health is at Issue 110
  111. 111. Disclosures Without Objection• Law Enforcement – Where Required by Law – Information Must be Relevant – Minimum Necessary Disclosed 111
  112. 112. Disclosures Without Objection• Decedents – Disclose to Coroners, Medical Examiners, and Funeral Directors to Carry out Duties• Organ, Eye, or Tissue Donation – Use or Disclose PHI to Procurement Organizations 112
  113. 113. Disclosures Without Objection• Research Purposes – Must Satisfy Conditions With Respect to IRB Waiver• To Avert Serious Threat to Public• Certain Specialized Governmental Functions: National Security, VA, Military, Secret Service• Workers Compensation Act 113
  114. 114. Disclosures to Attorneys• Subpoenas – Notice and Opportunity to Object or Move for Qualified Protective Order (“QPO”) – QPO Not a Good Choice • Would Appear to Require Return or Destruction • No “Not Feasible” Language in the Order 114
  115. 115. Subpoenas• Proposed Procedure – Notice Letter to Patient/Patient’s Attorney • Allow for Reasonable Time (14 Days) to File Objection • Dispute Over Notice to Attorney Only? – Upon Conclusion of Time Period Send Subpoena, Copy of Notice Letter, and Cover Letter to Covered Entity • One Package, Not Waiting on Objections 115
  116. 116. Subpoena - Guidance• A Copy of the Subpoena (or Other Lawful Process) is Sufficient When, On Its Face, It Meets the Requirements of 45 CFR 164.512(e)(1)(iii), Such as Demonstrating the Individual Who is the Subject of the PHI is a Party to the Litigation, Notice of the Request has Been Provided to the Individual or His or Her Attorney, and the Time for Objections has Elapsed and No Objections Were Filed or All Objections Have Been Resolved. When These Requirements are Evident on the Face of the Request, No Additional Documentation is Required.• HHS FAQ #708 116
  117. 117. Incidental Uses or Disclosures• Where Covered Entity has Engaged in Reasonable Efforts to Safeguard PHI• Minimum Necessary Utilized for Uses and Disclosures of PHI• Unintentional or “Incidental” Uses or Disclosures Not Violation• Byproduct of Otherwise Permissible Action 117
  118. 118. MINIMUM NECESSARY RULE• Current rule: – With certain exceptions, a CE must limit uses and disclosures of PHI to the “minimum necessary” information for the purpose of the disclosure• By Aug. 17, 2010, new regulations defining minimum necessary PHI• Until that time, CE should limit PHI, to the extent practicable, to the “limited data set” – Excludes names, addresses, phone and fax numbers, email, social security and medical record numbers and nine other identifiers 118
  119. 119. Minimum Necessary• Must Use or Disclose the Minimum Necessary PHI to Carry Out Task• Specifically Restricted From Using Entire Medical Record• May Reasonably Rely Upon Statement of Professional or Law Enforcement• Internally, Restrict Access – Role-Based 119
  120. 120. Minimum Necessary• Exceptions – Treatment – Authorization – To the Individual – To DHHS – Where Required by Law, Including HIPAA 120
  121. 121. Law Enforcement• Disclosure for law enforcement purpose to law enforcement official – As required by law; reporting of wounds/injuries – To comply with a court order or court- ordered warrant, a subpoena or summons – In response to a grand jury subpoena – To respond to an administrative request – Only Minimum Necessary 121
  122. 122. Law Enforcement Official• Definition of Law Enforcement Official – Officer or employee of US, State, Tribe, or political subdivision – Empowered by law to investigate or – Prosecute or conduct criminal, civil, or administrative proceeding• If requesting official unknown, Covered Entity must identify and verify authority of official – CE may reasonably rely upon official’s representation that minimum necessary requested 122
  123. 123. Required by Law• To report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)) – Example, state laws commonly require providers to report gunshot or stab wounds, or other violent injuries – Required by law • Mandate contained in law compelling disclosure which is enforceable in a court of law 123
  124. 124. Process• Court order, court-ordered warrant, or a subpoena or summons issued by a judicial officer (45 CFR 164.512(f)(1)(ii)(A)) – The Rule recognizes the legal process in obtaining a court order protects the PHI – “Judicial Officer” • Preamble originally required “finding” • Term is not defined – look to state law? • Appears to be different than “court” 124
  125. 125. Grand Jury Subpoena• To comply with a grand jury subpoena (45 CFR 164.512(f)(1)(ii)(B)) – State or Federal Grand Jury – The Rule recognizes that the secrecy of the grand jury process provides protections for the individual’s PHI 125
  126. 126. Administrative Request• To respond to an administrative request, such as an administrative subpoena or summons, civil or authorized investigative demand or similar process authorized under law (45 CFR 164.512(f)(1)(ii)(C)) – May be without judicial involvement – Must provide that: • PHI is relevant and material, • PHI is specific and limited in scope, and • De-identified information not sufficient 126
  127. 127. Identification and Location• Disclosure of limited information in response to request of law enforcement official for purpose of identifying or locating a suspect, fugitive, material witness, or missing person (45 CFR 164.512(f)(2))• Only if “requested” – Request may be oral or written – Includes person acting on behalf of law enforcement • E.g., media making announcement seeking public’s assistance in identifying suspect or “Wanted” Poster 127
  128. 128. Limited Information• Limited information to be disclosed: – Name and address – Date and place of birth – Social Security number – ABO blood type and rh factor – Type of injury – Date and time of treatment – Date and time of death – Distinguishing physical characteristics • Height, weight, gender, race, hair and eye color, facial hair, scars, and tattoos 128
  129. 129. Information Not to be Disclosed• Except as otherwise permitted, following information not to be disclosed• PHI relating to: – DNA or DNA analysis – Dental records – Typing, samples, or analysis of body fluids or tissue 129
  130. 130. Victims of Crime• Disclosure of PHI in response to law enforcement official’s request for information about victim or suspected victim of crime (45 CFR 164.512(f)(3))• Only if individual agrees – Agreement may be oral or written• If unable to obtain agreement, other factors must be satisfied 130
  131. 131. Victims of Crime• Disclosure if individual agrees or• Lack of agreement due to incapacity or emergency and – Law enforcement official represents PHI is needed to determine if violation of law by person other than victim and not intended to be used against victim – Law enforcement official represents that immediate action depends upon disclosure and would be materially and adversely impacted if waited; and – Disclosure is in the bests interests of individual in professional judgment 131
  132. 132. Workforce Victims• No violation if workforce member who is the victim of a criminal act discloses PHI to a law enforcement official (45 CFR 164.502(j)(2)) – PHI is about the suspected perpetrator – Only limited information (name, address, SSN#, date of treatment, etc.) – Crime does not need to occur on premises 132
  133. 133. Other Provisions on Victims• Child abuse victims or adult victims of abuse, neglect or domestic violence, other provisions apply: – Child abuse or neglect reported to law enforcement official authorized by law to receive such reports and agreement of individual is not required (45 CFR 164.512(b)(1)(ii)) 133
  134. 134. Business Associates• Historically not Covered Directly by HIPAA• Third Parties Who Use or Disclose PHI on Behalf of a Covered Entity, Other Than as Workforce Member• Workforce Member – More Than Employees – Also Volunteers, Aides, Trainees, and Some Agents 134
  135. 135. Business Associates• Examples – Claims Processing – Utilization Review – Quality Assurance – Billing – Legal – Accounting – Consulting 135
  136. 136. Business Associates• Covered Entity Must Obtain Satisfactory Assurances From Business Associate – Business Associate Agreement – If Public Entities, Memorandum of Understanding – Covered in Greater Detail 136
  137. 137. Identifying Business Associates• Formal Definition – Person Who on Behalf of Covered Entity or OHCA Performs or Assists in Activity Involving Use or Disclosure of PHI • Including Claims Processing, Data Analysis or Processing, Billing, Etc.• Or – Who Provides Legal, Actuarial, Accounting, Consulting, or Similar Services Involving Use or Disclosure of PHI• Not a Workforce Member 137
  138. 138. Entities/Persons Not Business Associates• Workforce Members – Workforce Includes employees, volunteers, trainees, and Other Persons Conducting Work Under Direct Control of Covered Entity – Look Beyond Titles – If Workstation on Site, Then Likely Workforce – If No BA Agreement, Then Presumed to be Workforce 138
  139. 139. Not Considered Business Associates• Entity Not Using or Disclosing PHI – Regardless of Title – Examples: Janitors, Maintenance Services – Only Incidental Uses or Disclosures 139
  140. 140. Not Business Associates• OHCA – Organized Health Care Arrangement – Technical Relationship – Same Said Regarding Affiliated Covered Entities (“ACE”) 140
  141. 141. Not Business Associates• Conduits – Entity or Person That Transports PHI, but Only Accesses it Incidentally – Examples: US Mail, Couriers, Electronic Transmitters 141
  142. 142. Not Business Associates• De-Identified Information – Where Identifying Factors Removed, No Need to Protect – Any Person May Use or Disclose De-Identified Information 142
  143. 143. Not Business Associates• Covered Entities – May Be Considered a Business Associate of Another Covered Entity – If Acting as Business Associate, and Makes Mistake, Then DHHS Will Treat as Covered Entity and Not Business Associate 143
  144. 144. Business Associate Contract/Agreement• Documents the Satisfactory Assurances• Prerequisite Before Covered Entity May – Disclose PHI to the BA – Allow BA to Create PHI on Behalf of the Covered Entity – Allow BA to Receive PHI on Behalf of the Covered Entity 144
  145. 145. No Business Associate Contract or Agreement• Covered Entity Transmitting PHI to a Provider for Treatment• Group Health Plan and Plan Sponsor, If Otherwise Comply With Rule• Interagency Disclosure Among Government Health Plans 145
  146. 146. Business Associate Agreement• Non-Governmental Entities – Written Contract Required – Permitted and Required Uses and Disclosures of PHI – BA Not Further Use or Disclose – BA Use Appropriate Safeguards – BA Report Breach – BA Ensure Subcontractors Agree to Same Terms 146
  147. 147. Business Associate Agreement Terms• Make PHI Available for Access• Make PHI Available for Amendment and Incorporate Amendments• Make PHI Available to Prepare Accounting• Compliance with DHHS Investigation• Return, Destroy, or Safeguard PHI 147
  148. 148. Business Associate Agreement• Covered Entity Must Be Able to Terminate if Violation• Covered Entity Must Attempt to Mitigate or Cure Breach, and Report to DHHS 148
  149. 149. Business Associate Agreement Additions• Permit BA to Use or Disclose PHI to Provide Data Aggregation Services – Combining PHI From One Covered Entity, with PHI of Another to Prepare Data Analysis That Relates to Operations of the Respective Covered Entities 149
  150. 150. Business Associate Agreement Additions• BA May USE PHI – Proper Management and Administration – Carry Out Legal Responsibilities• BA May DISCLOSE PHI – Proper Management and Administration – Carry Out Legal Responsibilities – Reasonable Assurances Obtained 150
  151. 151. Business Associate Model Contract• Not State Law Compliant• Not All Essential Terms• Not All Desirable Terms 151
  152. 152. Suggested BusinessAssociate Agreement Terms• Negotiating Power/Leverage Deciding Factor – Large Provider vs. Small BA – JCAHO vs. Large Provider• Damages/Liquidated Damages Clauses• Indemnification Clauses• Insurance Coverage Requirement• Burden of Proof• CE Will Oversee BA Response to Access, Amendment, Accounting, and Any Other Disclosures 152
  153. 153. Other Terms in Your BAA• Many Covered Entities Require Indemnification Clause in Business Associate Agreement – Contractual Indemnity May Void Legal Malpractice Insurance Coverage – Appears that Contractual Obligation Imposed Under BAA Would be Covered• Best Choice for Client May be No Indemnification Clause – Full Disclosure – Conflict of Interest? 153
  154. 154. Other Aspects of Relationship• Privacy Rule Requires Business Associate to Return or Destroy PHI Upon Conclusion or Termination of Relationship – Not Required if “Not Feasible” But Then Must Extend Protections to PHI – Attorney Obligated to Maintain Records 154
  155. 155. Accountability• Penalties for Non-Compliance – On Covered Entity• If Covered Entity Knew of Pattern or Practice That Constitutes Material Breach – CE Must Take Steps to Cure Breach or End Violation – If Unsuccessful, CE May Terminate Agreement – If Termination Not Feasible, Then Report to DHHS – Not Obligated to Monitor – Must Investigate All Complaints – Must Act Upon Any Knowledge of Violation 155
  156. 156. New Definition of Business Associate?• Health Information Organizations• E-Prescribing Gateways• Others that provide – Data transmission services with respect to PHI and – Require access on a routine basis to such PHI• “Conduits” that only access PHI on random or infrequent basis to support transport are not BAs 156
  157. 157. Definition of Business Associate• PHR vendors acting on behalf of covered entities are BAs – PHR vendor can be a BA with respect to only some individuals• Subcontractors – Treated as BAs if they create, receive, maintain, or transmit PHI on behalf of a BA – BA must have BA agreement with subcontractor BA – No BA agreement required between CE and subcontractor BA 157
  158. 158. Business Associates• BAs directly liable for: – Security Rule violations – Impermissible uses and disclosures under Privacy Rule • Uses and disclosures must comply with Privacy Rule and business associate agreement – Failure to disclose to Secretary or provide e-access – Minimum necessary rule• Covered entities (and BAs) liable for acts of BAs acting as agents within scope of agency• BA must take reasonable steps in response to impermissible pattern or practice of subcontractor BA 158
  159. 159. Business Associate Contracts— Amendments Required?• HITECH statute said privacy and security requirements that apply to covered entities – “shall be incorporated into business associate agreement”• Uncertainty as to whether this required an actual amendment or provisions incorporated into BA contracts as matter of law 159
  160. 160. Business Associate Contracts— Amendments Required?• Under Proposed Rule following provisions need to be added: – BAs to use appropriate safeguards and comply with Security Rule with respect to E-PHI – BAs must report to CE any breach of unsecured PHI – Enter into written agreements with subcontractors that create/receive PHI on behalf of BA imposing same restrictions that apply to BA – BAs must comply with Privacy Rule to extent BA is to carry out a CE’s obligation under the Privacy Rule 160
  161. 161. Compliance Date, Generally• Covered entities and BAs will have 240 days from publication of final rule to comply – Rule will become effective 60 days after publication – Additional 180-day compliance period• Enforcement Rule changes effective immediately when final rule goes into effect 161
  162. 162. Compliance Date for Amending Business Associate Contracts• If (1) a BA contract (compliant with pre-HITECH BA requirements) is entered into prior to publication date of Final Rule; and• (2) that contract is not renewed or modified during the time period that is 60 days to 240 days after the publication of the final rule, then the contract deemed to be compliant until the earlier of: – The date the contract is renewed or modified on or after the 240-day post-publication date; or – The date that is one year and 240 days after publication of the Final Rule• Bottom Line: – CEs and BAs will have up to 1 year and 8 months after Final Rule published to revise BA agreements – BAs must comply with other applicable provisions of Privacy and Security Rules during this transition period 162
  163. 163. Notification by Business Associates• BAs required to notify CE of breach• Notification to occur no later than 60 days after discovery of breach• Breach treated as discovered by BA as of first day breach is known to BA, or through reasonable diligence, would have been known• BA deemed to have knowledge of breach if breach would have been known through reasonable diligence to anyone who is agent of BA• If BA is an agent, then BA’s discovery of breach is imputed to CE 163
  164. 164. Business Associates• Historically were not covered directly by HIPAA – Generally liable only for breaching their business associate agreement with a covered entity• HITECH: – Clarifies that certain entities are BAs – Expands HIPAA requirements that apply to BAs 164
  165. 165. Business Associates—who is a BA?• In the past, entities that provided networks or other hardware for data transmission were not considered BAs• Under HITECH, entities that provide data transmission services and require access to PHI are BAs, including: – Health information exchange organizations – RHIOs – E-Prescribing gateways – PHR vendors that provide PHRs to covered entities 165
  166. 166. Business Associates—New Requirements• HITECH: BAs are required to: – Notify CE if they discover a breach – Directly comply with HIPAA Security Rule administrative, physical and technical safeguards and documentation requirements—as if they were CEs – Means regulators may impose fines directly on BAs who fail to comply with Security Rule 166
  167. 167. Business Associates—New Requirements• HITECH: BAs are required to: – Use or disclose PHI only if such use or disclosure is in compliance with the privacy provisions of their BA contracts – Means BAs are subject to same penalties as CEs if they violate Privacy Rule 167
  168. 168. Business Associates—New Requirements• Other HITECH privacy and security requirements that apply to covered entities – “shall be incorporated into business associate agreement” 168
  169. 169. Business Associates—New RequirementsWHAT DOES THIS MEAN FOR BAs?• BAs must take action if they know of a pattern of activity or practice by CE that constitutes a breach of the CE’s obligations under the contract: – Reasonable steps to cure breach – Terminate the arrangement – Report the problem to HHS if termination is not feasible• If BA does not do the above, it may be liable for HIPAA penalties 169
  170. 170. HIPAA and Attorneys• Interaction of HIPAA Requirements Imposed Upon Attorneys via Business Associate Agreements 170
  171. 171. Business Associates• Business Associate Means a Person, Other Than a Workforce Member, Who: – Provides Legal, Actuarial, Accounting, Consulting, …, Where the Provision of the Service Involves the Disclosure of Individually Identifiable Health Information• Lawyers May Be Business Associates 171
  172. 172. Business Associate Agreement• Covered Entity Must Enter Into Business Associate Agreement With Lawyer if Using or Disclosing Protected Health Information (“PHI”)• If Business Associate Fails to Comply, Covered Entity Must Do One of the Following: – Try to Cure Breach – Terminate the Agreement – Report Violation to DHHS 172
  173. 173. Violation ofBusiness Associate Agreement• If Business Associate Violates Agreement, and Covered Entity Fails to Act, Then Covered Entity is Subject to Penalties• Note that Business Associate Attorney is NOT Subject to Penalties – Privacy Rule Does Not Directly Govern Business Associates 173
  174. 174. Business Associate Agreement Terms• Agreement Must Contain Specified Terms: – Permitted and Required Uses and Disclosures of PHI – Required Safeguards for PHI – Ensure Subcontractors Comply – Make PHI Available for Access, Accounting, and Amendment – Upon Termination, Return, Destroy, or Keep in Accordance with Privacy Rule 174
  175. 175. Business Associate Agreement• Specified Terms of BA Agreement Include that Business Associate Must: – Make its Internal Practices, Books, and Records Relating to the Use and Disclosure of Protected Health Information (“PHI”) Available to DHHS for Inspection to Determine Compliance 175
  176. 176. Waiver/Loss of Protections• BA Agreement Requirement That BA Attorney Must Make Internal Practices, Books, and Records Available – Could Result in Requiring Production of Privileged and/or Work Product Materials – Issue Whether Must Produce to DHHS and Whether Waives Protections as to Others 176
  177. 177. Overview of HIPAA Security Rule: Obligations of Covered Entities and Business Associates Lorman Education Services: Medical Records Law March 23, 2012 Richard E. Nell Nell & Associates, S.C. 177 Jesse A. Berg Gray Plant & Mooty
  178. 178. HIPAA Security Rule• Security Rule – Addressable Implementation Specifications (“AIS”) – Allows Covered Entities Additional Flexibility – Covered Entity Must Do One of the Following • Implement One or More AIS • Implement One or More Alternative Security Measures • Implement One or the Other • Implement Neither 178
  179. 179. Security Rule• Security Rule Administrative Safeguards – Security Management Process • Implement Policies and Procedures to Prevent, Detect, Contain, and Correct Security Violations • Implementation Analysis – Risk Analysis (Required) » Conduct an Accurate and Thorough Assessment of the Potential Risks and Vulnerabilities to the Confidentiality, Integrity, and Availability of Electronic Protected Health Information – Risk Management (Required) » Implement Security Measures Sufficient to Reduce Risks and Vulnerabilities to a Reasonable and Appropriate Level 179
  180. 180. Security Rule• Security Rule Administrative Safeguards – Implementation Analysis (Continued) • Sanction Policy (Required) – Appropriate Sanctions Against Workforce Members Who Fail to Comply With the Security Policies and Procedures • Information System Activity Review (Required) – Implement Procedures to Regularly Review Records of Information System Activity, Such As Audit Logs, Access Reports, and Security Incident Tracking Reports 180
  181. 181. Security Rule• Security Rule Administrative Safeguards – Assigned Security Responsibility • Identify the Security Official – Workforce Security • Implement Policies and Procedures to Ensure That All Members of Its Workforce Have Appropriate Access to Electronic Protected Health Information • Prevent Those Workforce Members Who Do Not Have Access From Obtaining Access 181
  182. 182. Security Rule• Security Rule Administrative Safeguards – Workforce Security (Continued) • Implementation Analysis – Authorization and/or Supervision (Addressable) » Procedures for the Authorization And/or Supervision of Workforce Members Who Work With Electronic Protected Health Information – Workforce Clearance Procedure (Addressable) » Procedures to Determine That the Access of a Workforce Member to Electronic Protected Health Information 182
  183. 183. Security Rule• Security Rule Administrative Safeguards – Workforce Security Implementation Analysis (Continued) • Termination Procedures (Addressable) – Procedures for Terminating Access to Electronic PHI When Employment Ends – Information Access Management • Implement Policies and Procedures for Authorizing Access to Electronic Protected Health Information 183
  184. 184. Security Rule• Security Rule Administrative Safeguards – Information Access Management Implementation Analysis • Isolating Clearinghouse Functions (Required) • Access Authorization (Addressable) – Implement Policies and Procedures for Granting Access to Electronic Protected Health Information • Access Establishment and Modification (Addressable) – Implement Policies and Procedures That, Based Upon the Entitys Access Authorization Policies, Establish, Document, Review, and Modify a Users Right of Access 184
  185. 185. Security Rule• Security Rule Administrative Safeguards – Security Awareness and Training • Implementation Analysis – Security Reminders (Addressable) » Periodic Security Updates – Protection From Malicious Software (Addressable) » Procedures for Guarding Against, Detecting, and Reporting Malicious Software – Log In Monitoring (Addressable) » Monitor Access and Discrepancies – Password Management (Addressable) » Procedures for Creating, Changing, and Safeguarding 185
  186. 186. Security Rule• Security Rule Administrative Safeguards – Security Incident Procedures • Implementation Analysis – Response and Reporting (Required) » Identify and Respond to Suspected or Known Security Incidents; Mitigate Harmful Effects of Security Incidents and Document Security Incidents and Their Outcomes 186
  187. 187. Security Rule• Security Rule Administrative Safeguards – Contingency Plan • Implementation Analysis – Data Backup Plan (Required) » Procedures to Create and Maintain Retrievable Exact Copies of Electronic Protected Health Information – Disaster Recovery Plan (Required) – Emergency Mode Operation Plan (Required) » Procedures to Enable Continuation of Critical Business Processes for Protection of the Security of Electronic Protected Health Information While Operating in Emergency Mode 187
  188. 188. Security Rule• Security Rule Administrative Safeguards – Contingency Plan Implementation Analysis (Continued) • Testing and Revision Procedures (Addressable) • Applications and Data Criticality Analysis (Addressable) – Evaluation • Implementation Analysis – Periodic Technical and Nontechnical Evaluation, Based Initially Upon the Standards Implemented Under This Rule and Subsequently, in Response to Environmental or Operational Changes Affecting the Security of Electronic Protected Health Information 188
  189. 189. Security Rule• Security Rule Physical Safeguards – Facility Access Controls • Implementation Analysis – Contingency Operations (Addressable) » Procedures That Allow Facility Access in Support of Restoration of Lost Data – Facility Security Plan (Addressable) » Procedures to Safeguard the Facility and the Equipment – Access Control and Validation Procedures (Addressable) » Procedures to Control and Validate a Persons Access to Facilities Based on Their Role or Function 189
  190. 190. Security Rule• Security Rule Physical Safeguards – Facility Access Controls Implementation Analysis (Continued) • Maintenance Records (Addressable) – Procedures to Document Repairs and Modifications to the Physical Components of a Facility – Workstation Use • Procedures That Specify the Proper Functions to Be Performed, the Manner in Which Those Functions Are to Be Performed, and the Physical Attributes of the Surroundings of a Specific Workstation or Class of Workstation – Workstation Security • Physical Safeguards for All Workstations 190
  191. 191. Security Rule• Security Rule Physical Safeguards – Device and Media Controls • Implementation Analysis – Disposal (Required) – Media Reuse (Required) – Accountability (Addressable) – Data Backup and Storage (Addressable) 191
  192. 192. Security Rule• Security Rule Technical Safeguards – Access Control • Implementation Analysis – Unique User Identification (Required) » Unique Name And/or Number for Identifying and Tracking User Identity – Emergency Access Procedure (Required) » Procedures for Obtaining Necessary Electronic Protected Health Information During an Emergency – Automatic Logoff (Addressable) – Encryption and Decryption (Addressable) 192
  193. 193. Security Rule• Security Rule Technical Safeguards – Audit Controls • Hardware, Software, And/or Procedural Mechanisms That Record and Examine Activity in Information Systems – Integrity • Procedures to Protect Electronic Protected Health Information From Improper Alteration or Destruction • Mechanism to Authenticate Electronic PHI (Addressable) 193
  194. 194. Security Rule• Security Rule Technical Safeguards – Person or Entity Authentication • Procedures to Verify That a Person or Entity Seeking Access to Electronic Protected Health Information Is the One Claimed – Transmission Security • Integrity Controls (Addressable) – Security Measures to Ensure That Electronically Transmitted Electronic Protected Health Information Is Not Improperly Modified Without Detection • Encryption (Addressable) 194
  195. 195. Security Rule• Security Rule Organizational Requirements – Business Associate Contracts • Very Similar to the Requirements Imposed for Business Associates Under the Privacy Rule – Group Health Plans • Except in Certain Situations, Group Health Plan Must Ensure That Its Plan Documents Provide That the Plan Sponsor Will Reasonably and Appropriately Safeguard Electronic Protected Health Information Created, Received, Maintained, or Transmitted to or by the Plan Sponsor on Behalf of the Group Health Plan 195
  196. 196. Security Rule• Security Rule Policies and Procedures and Documentation Requirements – Policies and Procedures • Implementation Analysis – Reasonable and Appropriate Policies and Procedures to Comply With the Standards, Implementation Specifications, or Other Requirements 196
  197. 197. Security Rule• Security Rule Policies and Procedures• Documentation – Implementation Analysis • Time Limit (Required) – 6 Years • Availability (Required) • Updates (Required) 197
  198. 198. Security Rule 198
  199. 199. HIPAA Breach Notification Lorman Education Services: Medical Records Law March 23, 2012 Richard E. Nell Nell & Associates, S.C. 199 Jesse A. Berg Gray Plant & Mooty
  200. 200. Breach Notification• Previous Rule: – Covered Entities (“CEs”) must mitigate, to the extent practicable, any harmful effect that is known to the CE of an unauthorized use or disclosure of PHI by the CE or its Business Associate (“BA”)• HITECH established breach notification requirement for CEs and BAs• “Interim” Final Regulations published on Aug. 24, 2009 (74 FR 42740) – Regulations will be at 45 CFR Subpart D• Effective on Sept. 23, 2009• 6-month delay in enforcement 200
  201. 201. Breach Notification• The Basics: – Covered Entities must provide notification to individuals in event of breach of the security or privacy of unsecured PHI – Notice must also be provided to HHS – BAs must provide notice to CEs 201
  202. 202. Breach Notification• Interim Final Rule (Aug. 2009) – Effective Sept. 23, 2009 – Final Rule submitted to OMB in May, 2010 but withdrawn “for further consideration”• Key elements: – Notification if breach of unsecured PHI and significant risk of harm – “Unsecured” = unusable, unreadable or indecipherable – Notice w/in 60 days of discovery or date “should have known.” Content requirements for notice – Notice to media and HHS if more than 500 people; annual reporting to HHS if less than 500 people – Direct application to Covered Entities and BAs 202
  203. 203. Key Terms—”Unsecured PHI”• PHI not secured through use of a technology or methodology specified in Federal Register guidance published by HHS on 4/27/09 (74 FR 19006) – Encryption (as specified in Security Rule) – Destruction of media on which PHI is stored or recorded• Why secure your PHI? 203
  204. 204. Breach Notification Analysis• If your PHI is “unsecured,” a 3-step analysis applies: – Has there been an impermissible use or disclosure of PHI under the Privacy Rule? – Has the impermissible use or disclosure compromised the security or privacy of the PHI? – Does an exception apply? 204
  205. 205. Step 1—”Breach”• The “acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E (the HIPAA privacy rule) which compromises the security or privacy of the PHI” – Information must be PHI – For disclosure, acquisition, etc., to be a “breach” it must violate the Privacy Rule 205
  206. 206. Step 2—”CompromisesSecurity or Privacy of PHI”• Harm threshold must be met for breach to “compromise the security or privacy of the PHI” – Must pose a significant risk of financial, reputational or other harm to the individual• CEs and BAs must perform “risk assessment” to determine whether this threshold is met• Documentation of risk assessment is key for CE, BA if they decide harm threshold has not been met 206
  207. 207. Step 2—”CompromisesSecurity or Privacy of PHI”• Risk assessment factors: – Status of person who impermissibly used or to whom the PHI was improperly disclosed – Nature of mitigation efforts undertaken – Whether PHI was returned prior to being accessed for improper purpose – Type and amount of PHI involved – If LDS was involved, whether the date of birth and zip code are also excluded (if so, not a breach). Also, likelihood of re-association with individual is factor to be considered. 207
  208. 208. Step 3—the “Exceptions”• 3 Exceptions: – (1) Unintentional acquisition, access or use of PHI by work force member or person acting under authority of CE or BA, if acquisition was made in good faith, within scope of authority and does not result in further impermissible use or disclosure 208
  209. 209. Step 3—the “Exceptions”• (2) Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE, BA (or OHCA in which CE participates) and information received is not further used or disclosed in an impermissible manner 209
  210. 210. Step 3—the “Exceptions”• (3) A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information 210
  211. 211. Notification• Breach discovered on the first day it is known, or by exercising reasonable diligence, would have been known• Notice can be imputed to CE or BA from a variety of its representatives, including employees (other than the employee causing the breach) and from agents 211
  212. 212. Timing of Notification• All notifications must be made without unreasonable delay – No later than 60 calendar days after discovery – Burden on notifying entity to demonstrate that • All required notifications were made • Explain any delays• 60 day period not tolled by time spent in analysis or investigation• Limited delay if requested by law enforcement 212
  213. 213. Methods of Notice• Notice must be – In writing – By first class mail – Sent to the last known address of individual (if individual specified preference for email notification, that should be done) – One or more mailings (as more information becomes available) – If more than 500 residents of a state or jurisdiction are affected: • Notices described above; and • Notification to prominent media outlets in state or jurisdiction 213
  214. 214. Methods of Notice• Special circumstances notices: – If insufficient or out-of-date information and – Fewer than 10 affected people: • By an alternative form of written notice, telephone or other means – More than 10 affected people: • Conspicuous posting for 90 days on CEs homepage; or • Notice to major print or broadcast media • Must include toll-free phone number• Notice to HHS: – If more than 500 individuals affected, notice must be contemporaneous with notice to individuals – Can keep log of breaches affecting fewer people and provide annually to HHS – HHS to publicize breached entities on its web site 214
  215. 215. Content of Notice• All notices, to the extent possible, must include: – Description of what happened, including date of breach and date breach was discovered – Description of the types of unsecured PHI involved in the breach – Steps individuals should take to protect themselves from potential harm resulting from breach – Description of what CE is doing to investigate breach, mitigate harm to the individual and protect against further breaches – Contact procedures for individuals to ask questions or learn additional information, including toll-free number, email, web site or postal address 215
  216. 216. Wisconsin LawLorman Education Services: Medical Records Law March 23, 2012 Richard E. Nell Nell & Associates, S.C. Jesse A. Berg 216 Gray Plant & Mooty