agenda - hcca official site · genetic information nondiscrimination act (limit on underwriting)...

© 2013 Davis Wright Tremaine. Use with attribution permitted. Prepared as of January 25, 2013.20993049v2 1

HCCA 2013 Cascade RangeRegional Area

Compliance ConferenceHilton Portland & Executive Tower

June 28, 2013

Bernie ThurberPartner, Portland

Agenda

� Omnibus Rule: What’s in and What’s Out

� Breach Notification Rule

� New Limits on Uses and Disclosures of PHI

� Business Associates and Subcontractors

� Increased Patient Rights

� Notice of Privacy Practices

� Increased Enforcement

� Action Items

2

The “Omnibus Rule”

� Most HITECH Act privacy and security provisions

� Breach Notification Rule

� Genetic Information Nondiscrimination Act (limit on underwriting)

� Enforcement Rule

� Several workability amendments

� General Compliance Date: September 23, 2013

3


What’s Still Missing?

� Accounting of disclosures/access reports

� Minimum necessary guidance

� Distribution of penalties/settlements to harmed individuals

4A

cc

es

s

Re

po

rt

BREACH NOTIFICATION RULE

5

New “Compromise Standard”

� “Significant risk of financial, reputational, or other harm”

� Exception for limited data set without ZIP codes or dates of birth

� Presumption of reportable breach, unless low probability the PHI has been compromised after risk assessment

6


Breach Notification

What is “compromised”?

The new rule doesn’t say.

7

What Is “Compromised”

� “Whether or not the data involved in the breach were at significant risk of being inappropriately

viewed, re-identified, re-disclosed, or otherwise

misused” - Center for Democracy & Technology/Markle Foundation comment

to interim final HIPAA Breach Notification Rule

� “Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional

disclosure, modification, destruction, or loss of an

object may have occurred.” – NIST Special Publication 800-32

8

Risk Assessment Factors

� Nature and extent of PHI involved

� The unauthorized person who used the PHI or to whom the disclosure was made

� Whether the PHI actually was acquired or viewed

� The extent to which the risk to the PHI has been mitigated

9


NEW LIMITS ON USES AND DISCLOSURES OF PHI

10

The Good News: Fundraising

� Adds categories of PHIthat may be used ordisclosed for fundraising:

� Department of service

� Treating physician

� Outcome information

� Health insurance status

11

The Good News: Fundraising

� Strengthens opt-out for fundraising:

� Clear and conspicuous

� Must not require undue burden

� May not condition treatment or payment

� Covered entity may not make fundraising communications after opt-out (previous standard was “reasonable effort”)

� Covered entity may provide method of opting back in

12


The Good News: Research

� Covered entities maycombine “conditioned”and “unconditioned” authorizations

� For example, conditioned authorization for clinicaltrial may be combinedwith unconditioned authorizationfor tissue specimen repository

13


� Unconditioned authorization must be opt in, e.g.,

� Check box

� Second signature line

� Authorization must differentiate between conditioned and unconditioned portions

14


� HHS changed interpretation on authorization for future research:

� Prior interpretation – Authorization for research must be study specific

� New interpretation – Authorization may govern future research

� Authorization must reasonably put individual on notice of potential future research

15


The Good News: Student Immunization Records

� Covered entity may release student immunization records to school without authorization

� If state law requires school to have immunization record (state where school is located)

� Written or oral agreement (must be documented)

16

The Good News: Decedent Information

17

� No longer PHI 50years after death

� Covered entity maydisclose PHI to personsinvolved in decedent’s care or payment if not contrary to prior expressed preference

The Bad News: Marketing

� New restriction on disclosures that describe item or service when covered entity receives financial remuneration from third party whose item or service is described.

18


The Bad News: Marketing

� Question 1: Communication about a product or service that encourages purchase or use? If yes, marketing.

� Question 2: Describes health-related item or service offered by covered entity or treatment alternative? If yes, no longer marketing.

� Question 3: Remuneration received from third party whose item or service is described? If yes, marketing again (authorization required).

� Question 4: Payment for refill reminders about drug that is currently prescribed with remuneration reasonably related to cost of communication? If yes, no longer marketing.

19

The Bad News: Sale of PHI

� Covered entity may not receive remuneration in exchange for PHI

� Exceptions (no limit):

� Treatment

� Payment

� Public health

� Sale of covered entity and related due diligence

� Required by law

20

The Bad News: Sale of PHI

� Exceptions (no limit)

� Business associate activities

� Exceptions (limits)

� Any other permissible purpose if remuneration limited to reasonable, cost-based fee for preparation and transmittal (not in HITECH)

� Research

� To an individual for access and accounting

21


The Bad News: Genetic Information

� Clarification that genetic information is health information

� Health plan (other than long-term care plan) may not use or disclose genetic information for underwriting purposes

22

BUSINESS ASSOCIATES AND SUBCONTRACTORS

23

Who Is a Business Associate?

� New definition of business associate

� Uses or discloses individually identifiable health information

� Creates, receives, maintains, or transmits protected health information

� On behalf of covered entity

24


Subcontractors, Welcome to the HIPAA Party!

� Subcontractor + PHI = Business Associate

� Subcontractor = Person to whom a business associate delegates a function, activity, or service

� Subcontractor ≠ workforce member

� Guidance indicates subcontractor not a BA if performing administration or management for BA

25

Business Associate Contracting: Who Contracts with Whom?

26

Covered Entity

Business Associate

Business Associate Subcontractor

Business Associate Subcontractor

Contract

Contract

Contract

Each contract in the chain must be at least as restrictive as the contract above it with respect to uses and disclosures.

No contract needed

Business Associate Puzzle

� Direct and Contractual Liability(e.g., Security Rule, impermissibleuses and disclosures, accounting of disclosures)

� Contractual Liability Only (e.g., safeguards for hard copy information, access to hard copy information and amendment)

� Not Explicitly Required, but Good Idea(e.g., privacy officer, privacy policies, privacy training)

� Not Required or Expected(e.g., notice of privacy practices)

27


Changes to BA Contracts

� Must specify compliance with Breach Notification Rule

� Subcontractor must be subject to BA contract

� If CE delegates HIPAA responsibility, must specify that BA will comply with HIPAA

� Should specify to whom BA provides electronic access

28

Optional BA Contract Provisions

� Control over BA use of subcontractors?

� Clarity regarding minimum necessary?

� More stringent reporting timelines?

� Additional clarity on safeguards?

� INDEMNIFICATION?

29

INCREASED PATIENT RIGHTS

30


Electronic Copy of PHI

� Old Rule:

� Form or format requested, if readily producible

� If not readily producible, then readable hard copy

31


� New Rule (same):

� Form or and format requested, if readily producible

� If not readily producible and maintained in paper, then readable hard copy

32


� New Rule:

� If not readily producible and maintained electronically, then electronic copy

33


Copy of PHI to Third Parties

� Individual may designate third party to receive copy

� Must be in writing

� Clearly identify the designated person

� Clearly identify where to send the copy

� Access vs. Authorization: Who Is making the request?

34

Restriction for Out-of-Pocket Payments

� Covered entity must agree to individual’s request to restrict disclosure to health plan

� For payment or health care operations

� Unless disclosure isrequired by law

� If individual (or 3rd party) pays for item or service out of pocket in full

35

NOTICE OF PRIVACY PRACTICES

36


Changes to Notice of Privacy Practices

� Prohibition on sale of PHI

� Duty to notify affected individuals of a breach of unsecured PHI

� Right to opt out of fundraising (if applicable)

� Right to restrict disclosure of PHI when paid out of pocket

� Limit on use of genetic information (certain health plans only)

� Appointment reminders and treatment alternatives

37

ENFORCEMENT

38

New Focus on Enforcement

� Increased penalties continue ($1.5 million/year x number of types of continuing violations)

� New focus on investigating and penalizing noncompliance due to “willful neglect”

� Willful neglect: Conscious, intentional failure or reckless indifference

� Can impose penalty without seeking informal resolution

39


Other Changes to Enforcement

� Change in definition of “reasonable cause” (fills any gaps between “did not know …” and “willful neglect”

� Slightly revise factors to calculating civil monetary penalty

� Covered entities and business associates are liable for agents acting within scope of agency, even if business associate agreement is in place

40

Agency Liability

41

� Who is an agent?

� Subject to the Federal common law on agency

� Does the covered entity have the authority to control the business associate’s conduct in the course of its performance? (Same for BA and subcontractor)

� Does covered entity have authority to provide interim instructions or directions?

Agency Liability

42

� “Business associate must make available protected health information in accordance with §164.524 based on the instructions to be provided

by or under the direction of a covered entity’’ would create an agency relationship.

� Specificity vs. Agency Liability


ACTION ITEMS

43

Action Items

� Perform a gap analysis to determine what policies and procedures must be revisited

� Is every requirement of the HIPAA rules addressed?

� What new requirements of the Omnibus Rule need to be added?

� Revise privacy and security policies and procedures to bring the organization into compliance

� What policies and procedures have not worked?

� What have been top issues for the organization?

44

� Revisit/revise breach notification policies, procedures, breach/incident response plans

� Revise risk assessment threshold

� Ensure risk assessment addresses required elements

� Do employees know how to recognize and report a breach?

� Encrypt, encrypt, encrypt

45

Action Items


� Amend notices of privacy practices

� Properly post and distribute

� Determine whether any forms, such as requests for access, should be updated or created

46

Action Items

� Train workforce and promote more ongoing awareness

� Develop training plan

� Consider multiple platforms (e.g., online, meetings, etc.)

� Ensure training is more practical than academic

47

Action Items

HIPPA

HIPAA

� Business associate contracts

� Revise business associate contract templates

� Identify business associates

� Determine plan for amending/renegotiating existing business associate contracts

48

Action Items


� Distinguish risk analysis vs. evaluation of controls

� Risk analysis should:

� Identify locations ofelectronic PHI

� Identify reasonably anticipated threats (e.g., human, natural, and environmental) and vulnerabilities

� Assign risk levels (e.g., low, medium, high) based on likelihood and impact

49

Action Items

For more information…

50

Bernie Thurber, Partner

[email protected]

Materials prepared by

Adam Greene, Washington, D.C.

Questions

51

agenda - hcca official site · genetic information nondiscrimination act (limit on underwriting)...

Documents