2013 06-21 hippa omnibus rule
DESCRIPTION
There were statutory amendments that HITECH required that were never made, and there was a interim final proposed rule that implements the HITECH Act breach notification requirements. These rules are now amended by the Omnibus rule, because they were confusing and garnered public comment that convinced HHS to make changes.TRANSCRIPT
1
2013 HHS HIPAA OMNIBUS RULE
Vermont Mental Health & The Law
June 21, 2013
Presenter: Eileen Elliott, Esq.
2
Health Information Technology for Economic and Clinical Health
(HITECH) Act
• Strengthened privacy, security, and enforcement provisions
• 2009
3
Most of the changes in the new rule are already law under 2009 HITECH ACTAmalgam of four interim and proposed rules:
• HIPAA Privacy, Security, and Enforcement Rules
• Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure
• Breach Notification for Unsecured Protected Health Information under HITECH
• Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA)
4
Effective dates• Omnibus Rule became effective on March 26,
2013• Compliance date September 23, 2013• Deferred compliance date is provided in
certain cases for existing business associate agreements. At the latest, all of these contracts must be compliant by September 22, 2014.
• Default compliance period of 180 days from effective date for future HIPAA rules
5
Major Effects of Omnibus Rule
1. Enhanced breach notification requirements
2. Increased Business Associate liability
3. HHS enhanced fining authority
4. Extension of GINA to all plans subject to HIPAA
6
1. Strengthened Breach Reporting
• Eliminated the harm standard• Prior rule: Breaches were not reported unless
they posed a “significant risk of reputational, financial or other harm” to individuals.
• As Amended: The determination of whether an incident is a breach depends not on the likelihood affected individuals might be harmed, but rather on the risk that PHI has been “compromised.”
7
Strengthened Breach Reporting, cont.
• Incident is presumed a breach unless a risk analysis reveals a “low probability” that PHI has been compromised
• Impermissible uses of PHI, and not only impermissible disclosures, are potentially subject to breach notification.
• Now required to do a risk analysis
8
Risk Analysis
RA must include at least the following factors:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether PHI was actually acquired or viewed; and
• The extent to which any risk to PHI has been mitigated.
9
Risk Analysis, cont.
• Notification will be required if the risk analysis reveals there is greater than a “low probability” that the PHI will be or has been compromised.
• RA must be documented and retained
10
Exceptions to Breach
• Could not reasonably be retained• Inadvertent access, unintentional and in
good faith• Inadvertent disclosure to another at the
same entity who is authorized• Further impermissible use destroys any
exception
11
Notification Requirements• Affected individuals, HHS and, in some cases, the media
• 500 or more individuals - HHS contemporaneous with the notice to individuals
• < 500 individuals can be logged and reported to HHS on an annual basis
• Cascading notifications – BAs, CEs and subcontractors
• Required without unreasonable delay and in no case later than 60 days from the
date the breach is discovered
• Notification delays allowable if law enforcement advises that notification might impede their investigation
12
Breach Safe harbors
• Encryption• Disposal
13
Business Associates
• An entity that performs functions or services for covered entities that involve uses or discloses of PHI
• BAs may "create, receive, maintain, or transmit” PHI
• Entities merely storing PHI also are business associates
14
Subcontractors are BAs
• Subcontractors are HIPAA BAs if they create, receive, maintain or transmit PHI
• “on the hook" for compliance with applicable rules like the Breach Notification Rule, HIPAA Security Rule, HIPAA Privacy Rule, etc.
• Organizations providing personal health records (PHRs) on behalf of CEs are business associates.
• "conduit exception" still applies but narrow
15
New Requirements for BAs
• Huge ramifications• Security Rule Compliance required • Use/disclosure requirements of Privacy
Rule• Provide copies of ePHI• Maintain accounting of disclosures• Provide HHS w/ PHI during review or audit
16
Contracting Ramifications
• CEs still must contract with BAs, but no need to contract with BA’s Subcontractors
• BAs must enter into agreements with Subcontractors
• Many more entities are considered BAs
17
Liability for Violations by BAs
• Business associates can be directly liable for HIPAA noncompliance, including compliance reviews, fines, equitable relief and audits
• Subcontractors of BAs are now also defined as BAs, and can also be directly liable for violations
18
Hybrid Entities
• When organization carries out some HIPAA covered functions and some non-HIPAA covered functions, it is a hybrid entity.
• Business units that perform business associate-like support functions, such as the IT or Legal Departments need to comply w/ HIPAA
• HIPAA permits hybrid entities to designate which “components” of its business are HIPAA covered and, once documented, only those designated components have to comply with HIPAA.
19
Enforcement and Penalties
• “willful neglect” by the CE or BA requires HHS to conduct compliance reviews and investigate complaints
• HHS may fine any CE, BA or subcontractor responsible for a violation.
• Violations are counted up “based on the nature of the…obligation to act or not act.”
• New factors in fining calculus - number of persons affected by the violation and potential harm to those persons’ reputations
20
Fines
• Violation was not known and could not have been discovered with reasonable diligence – potential penalty per violation - $100 – $50,000
• Reasonable cause for violation, not due to willful neglect
– potential penalty per violation $1,000 – $50,000
• Violation due to willful neglect, but corrected in 30 days
– potential penalty per violation $10,000 – $50,000
• Violation due to willful neglect, not corrected in 30 days
– potential penalty per violation $50,000
• Maximum - $1,500,000 for all violations of an identical provision
21
Fines, cont.
• Monetary penalties will be tallied on a per person and per day basis.
• Breaches usually yield at least two violations: impermissible use or disclosure and a safeguards violation.
22
Privacy Rule
• PHI remains protected 50 years after death
• Provision of access to PHI is a disclosure
• Business associates are directly required to comply with Privacy Rule
– Expressly prohibited from using/ disclosing PHI other than as permitted by their BA agreements
– Prohibited from uses or disclosures of PHI that would not be permitted if done by CE client
• HIPAA Rules apply to genetic information
23
Marketing
An individual’s express authorization is required before a covered entity may make communication regarding treatment or health care operations where:
• The CE receives financial remuneration from (or on behalf of) a third party in exchange for sending the communication; and
• The communication is intended to encourage purchase or use of a product or service offered by the third party.
24
Marketing Authorization Required
• Communications that may be subject to this requirement include those regarding: – Appointment reminders; – Treatment reminders; – Alternative treatments; – Health care products or services.
25
Marketing Authorization not required
• Communications that are not subject to this requirement continue to include: – Face-to-face communications; – Promotional gifts of “nominal” value; – Refill reminders, adherence reminders for
current scripts, if reasonably reflect costs.
26
No authorization required, cont.
• Communications about health in general, i.e. prevention, healthy habits
• Communications about government or government-sponsored programs that benefit the public, such as eligibility for Medicare or Medicaid
27
Authorization requirements
• HIPAA mandates a certain form and content for valid authorizations
• CEs must disclose in their marketing authorizations that they are receiving financial remuneration in exchange for sending marketing communications.
• Right to revoke
28
Fundraising
• CE may use, or disclose to a BA or an institutionally related foundation, certain PHI for its own fundraising w/o authorization
• Opt-out mechanism that does not place an undue burden on the individual
• Cannot condition treatment or payment on the individual’s choice
• Notice of privacy practices must describe the covered entity’s intent to send fundraising communications and describe the individual’s right to opt out
29
Sale of PHI
• Prohibited unless authorized• Authorization must disclose that
remuneration will be received• Sale = a CE or BA receives
remuneration, financial or otherwise, directly or indirectly, from or on behalf of the recipient in exchange for the PHI
30
Sale exceptions
• Disclosures for research purposes where the remuneration represents a reasonable cost-based fee
• Disclosures by BAs or their subcontractors where remuneration is provided by the CE or BA to compensate for the activities performed by the BA or subcontractor
• Sales must be included in authorization forms
31
Research Changes
• Authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. – Therapy notes
• Revocation• Research authorizations need not be
study specific where they pertain to future research.
32
Individual’s Right to Request PHI
• In any format as long as readily producible• Even if maintained electronically• CEs must provide copies of PHI to other
parties if designated by the individual. – Written and signed – Clearly identify recipient and where to
send
33
Right to Request PHI, cont.
• Reasonable, cost-based fee – labor and postage
• 60 day response period is gone, now only 30– CE can still give itself an additional 30
days
34
HHS provides that covered entities are permitted to send individuals unencrypted emails including ePHI if the individual requests it, provided the covered entity has advised the individual of the risk and the individual still prefers to receive the message by unencrypted email.
35
Restrictions on Disclosures
• Individuals have right to restrict certain disclosures of PHI to health plans, where – Disclosure is for payment or operations– Recipient paid in full– Not otherwise required by law
• Flag the PHI to identify the restriction.
36
Additional Allowable Disclosures
• Decedents and individuals “not present”– Narrow, but a minefield of subjectivity
• Schools– Immunization records if required by
state law – Needs agreement of parents, guardian
or emancipated minor
37
Notice of Privacy Practices
• Modifications needed:• Revised description of uses and
disclosures that require an authorization – Marketing, selling PHI – Fundraising
• Opt out rights
38
Changes to Notice of Privacy
• Right to be notified of security breaches
• Providers must explain restriction rights for PHI paid-in-full out of pocket
• Plans must explain GINA obligations• Plans must explain how it will notify
beneficiaries of changes to notice
39
Security Rule
• The Security Rule now applies in full to BAs and their subcontractors.
• Variety of comprehensive security measures • CEs remain liable for BAs • BAs need to enter into agreements with subs• Compliance date is 9/23/13• Higher fines
40
Security Rule, cont.
• Retained Flexibility of Approach
• Internet, extranets and intranets are forms of electronic media because they transmit data electronically
• Not electronic media if it did not exist in electronic form immediately before the transmission
• Genetic information is “health information” and subject to HIPAA rules if it is individually identifiable.
41
GINA Requirements
• Makes all plans that are subject to HIPAA subject to GINA
• Forbids using genetic information for underwriting
• “genetic information” included in the definition of “health information”
42
GINA, cont.
• Genetic Information defined as:– Genetic tests of individual or family members– Manifestation of a disease or disorder in the
individual’s family members; – Any request for, or receipt of, genetic services, or
participation in clinical research by individual or family
43
To-Do List
1. Revise BA agreements2. Revise and distribute Notice of Privacy
Practices3. Evaluate existing contractor relationships4. Revise HIPAA policies and procedures for
breach reporting5. Conduct training