Brian Balow HIPAA Final Rule

393 views

Published on

Connecting Michigan for Health 2013 http://mihin.org/

Published in: Health & Medicine, Technology
  • Be the first to comment

  • Be the first to like this

Brian Balow HIPAA Final Rule

  1. 1. No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security Rules Brian R. Balow Dickinson Wright PLLC June 6, 2013
  2. 2. Overview  Released January 17, 2013  Effective March 26, 2013  Covered entities and business associates have 180 days beyond the effective date to come into compliance with most of the Final Rule’s provisions (September 23, 2013)
  3. 3. Rules to be Discussed  Privacy Rule  Security Rule  Breach Notification Rule  Enforcement Rule
  4. 4. Some General Matters  Patient Safety Organizations are now business associates  HIOs, E-Prescribing Gateways, and others that facilitate ePHI transmission can be business associates (if “access to PHI on routine basis” and not merely a conduit)  PHR vendors can be business associates if the PHR is offered on behalf of a covered entity
  5. 5. Some General Matters  Subcontractors to a covered entity can be business associates “to the extent that they require access to PHI.” Thus, covered entity must gain satisfactory assurances of compliance required by the Rules from its business associates, and business associates must obtain same from subcontractors  PHI “stored, whether intentionally or not, in photocopier, facsimile, and other devices is subject to the Privacy and Security Rules” Copyright 2013 Michigan Health Information Network 5
  6. 6. Privacy Rule  Uses and disclosures of patient information: • Genetic information (health plans as defined in HIPAA) • Sale of PHI • To health plan if services paid by patient • Marketing activities • Fundraising activities • Deceased persons • Immunization records to schools Copyright 2013 Michigan Health Information Network 6
  7. 7. Privacy Rule  Confirms a business associate’s direct liability for specific provisions of the Privacy Rule  Business associates not directly liable for other Privacy Rule provisions (e.g., providing a NPP) unless delegated to BA under a BAA  BA may use PHI for “proper management and administration of the BA and to provide data aggregation services to a covered entity”
  8. 8. Privacy Rule  A BA must enter into a BAA-style agreement with a subcontractor prior to disclosing PHI  Covered entities need no longer report uncured breach by a BA of its obligations under a BAA  A BA must attempt to cure a subcontractor’s breach of “satisfactory assurance” type obligations (parallel to a CE’s obligations vis-à-vis a BA) Copyright 2013 Michigan Health Information Network 8
  9. 9. Privacy Rule  Required changes to BAAs: • BA must comply where applicable with Security Rule re ePHI • BA must report breaches of unsecured PHI to CE • BA must flow down satisfactory assurance provisions to subcontractors • If Privacy Rule requirement delegated to BA, BA liable to CE if BA breaches pertinent Privacy Rule requirement (does not create direct BA liability, however)
  10. 10. Privacy Rule  BAA Amendments IF • Existing BAA in place prior to January 25, 2013, and is compliant with Privacy Rule as then in effect, and • Existing BAA is not renewed or modified between March 26 and September 23, 2013, THEN that BAA is deemed compliant until earlier of • Date on which BAA is renewed or modified after September 23, 2013, or • September 24, 2014 Copyright 2013 Michigan Health Information Network 10
  11. 11. Security Rule  Security Rule’s administrative, physical, and technical safeguard requirements, as well as the Rule’s policies and procedures and documentation requirements, apply to business associates in the same manner as they apply to covered entities, and BAs will be civilly and criminally liable for violations  It is the BA’s, and not the CE’s, obligation to obtain satisfactory assurances from a subcontractor regarding protection of ePHI  Allows that formerly required but duplicative BAA provisions are no longer required (i.e., those required under each of the Privacy Rule and the Security Rule)
  12. 12. Breach Notification Rule  Unsecured PHI • Secured PHI = Compliance with valid encryption processes for data at rest consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, and with valid encryption processes for data in motion consistent with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated Copyright 2013 Michigan Health Information Network 12
  13. 13. Breach Notification Rule, Cont’d “Breach” 1. Impermissible use or disclosure of PHI is presumed to be a breach unless CE or BA can demonstrate “low probability” that PHI was “compromised” (move away from “risk of harm” standard) 2. CE or BA must conduct a risk assessment to determine if PHI was compromised
  14. 14. Breach Notification Rule, Cont’d Risk Assessment: 1. Nature and extent of PHI involved (including identifiers/likelihood of re-identification) 2. Consider the recipient (e.g., already under HIPAA obligation?) 3. Was PHI actually acquired or viewed 4. Extent to which risk has been mitigated
  15. 15. Breach Notification Rule, Cont’d Notification to Individuals  “Discovery”: When CE knew or by exercising reasonable diligence would have been known to any person other than the person committing the breach, who is a workforce member or agent of CE  Timeliness: w/o unreasonable delay, not more than 60 days post-discovery (law enforcement delay exception remains)  Content: • What happened, when, and when discovered • Description of compromised PHI • Steps individuals should take to mitigate effects • Steps CE is taking, plus contact information
  16. 16. Breach Notification Rule, Cont’d Notification to Media:  Unsecured PHI  500+ affected individuals of any one State  Within 60 days of discovery, max  “Prominent media outlet” (depends on the market)  Press release on a CE website does not meet this requirement
  17. 17. Breach Notification Rule, Cont’d  Notification to Secretary:  500+ affected individuals (anywhere): “immediate” (meaning at time individual notices are sent)  Less than 500, maintain log and report on HHS website annually, within 60 days of end of year  Notification by a Business Associate:  BA’s knowledge of breach is imputed to CE if the BA is an agent of the CE (meaning CE’s clock starts ticking when BA “discovers”  Otherwise, CE’s clock begins upon notice from BA
  18. 18. Enforcement Rule  Four civil money penalty tiers based on culpability:
  19. 19. Enforcement Rule, Cont’d  “Reasonable cause” (second tier) defined as “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”  Covered entities and business associates are now liable as principals for the acts of business associates (for CEs) or subcontractors (for BAs) acting as agents under Federal common law principles Copyright 2013 Michigan Health Information Network 19
  20. 20. Enforcement Rule, Cont’d  Bases for Penalty Determinations: 1. Nature and extent of violation 2. Nature and extent of harm 3. History of prior compliance 4. Financial condition of the CE or BA 5. Other matters “as justice requires”
  21. 21. To-Do List: All 1.Print pp. 491 – 562 of the Final Rule and put them in a binder 2.Read them in conjunction with existing HIPAA regulations (which should likewise be in a binder)
  22. 22. To Do List: Covered Entities 1. Update privacy policies (uses and disclosures of PHI) 2. Update compliance plan consistent with Breach Notification Rule changes 3. Examine BA relationships in light of agency liability issues 4. BAA review and revision (including amendments to existing BAAs) 5. Update notice of privacy practices and patient authorization form 6. (Seriously) consider encryption of ePHI if not already done 7. Conduct training 8. Use OCR resources
  23. 23. To Do List: Business Associates 1. Determine if you are a “business associate” (and if not be prepared to defend your case) 2. Evaluate your current operations for compliance with applicable Privacy Rule, Security Rule, and Breach Notification provisions 3. Ensure you have appropriate subcontracts in place and with proper content 4. Conduct training 5. Use OCR resources
  24. 24. Disclaimer This presentation is informational only. It does not constitute legal or professional advice. You are encouraged to consult with an attorney if you have specific questions relating to any of the topics covered in this presentation
  25. 25. Contact Information Brian R. Balow 248-433-7536 bbalow@dickinsonwright.com Thank you

×