brian balow hipaa final rule
DESCRIPTION
Connecting Michigan for Health 2013 http://mihin.org/TRANSCRIPT
No More Excuses: HHS Releases Tough Final HIPAA Privacy and
Security Rules
Brian R. Balow
Dickinson Wright PLLC
June 6, 2013
Overview
Released January 17, 2013
Effective March 26, 2013
Covered entities and business associates have 180 days beyond the effective date to come into compliance with most of the Final Rule’s provisions (September 23, 2013)
Rules to be Discussed
Privacy Rule
Security Rule
Breach Notification Rule
Enforcement Rule
Some General Matters
Patient Safety Organizations are now business associates
HIOs, E-Prescribing Gateways, and others that facilitate ePHI transmission can be business associates (if “access to PHI on routine basis” and not merely a conduit)
PHR vendors can be business associates if the PHR is offered on behalf of a covered entity
Some General Matters
Subcontractors to a covered entity can be business associates “to the extent that they require access to PHI.” Thus, covered entity must gain satisfactory assurances of compliance required by the Rules from its business associates, and business associates must obtain same from subcontractors
PHI “stored, whether intentionally or not, in photocopier, facsimile, and other devices is subject to the Privacy and Security Rules”
Copyright 2013 Michigan Health Information Network 5
Privacy Rule
Uses and disclosures of patient information:• Genetic information (health plans as defined in
HIPAA)• Sale of PHI• To health plan if services paid by patient• Marketing activities• Fundraising activities• Deceased persons• Immunization records to schools
Copyright 2013 Michigan Health Information Network 6
Privacy Rule
Confirms a business associate’s direct liability for specific provisions of the Privacy Rule
Business associates not directly liable for other Privacy Rule provisions (e.g., providing a NPP) unless delegated to BA under a BAA
BA may use PHI for “proper management and administration of the BA and to provide data aggregation services to a covered entity”
Privacy Rule
A BA must enter into a BAA-style agreement with a subcontractor prior to disclosing PHI
Covered entities need no longer report uncured breach by a BA of its obligations under a BAA
A BA must attempt to cure a subcontractor’s breach of “satisfactory assurance” type obligations (parallel to a CE’s obligations vis-à-vis a BA)
Copyright 2013 Michigan Health Information Network 8
Privacy Rule
Required changes to BAAs:
• BA must comply where applicable with Security Rule re ePHI
• BA must report breaches of unsecured PHI to CE• BA must flow down satisfactory assurance provisions to
subcontractors• If Privacy Rule requirement delegated to BA, BA liable to
CE if BA breaches pertinent Privacy Rule requirement (does not create direct BA liability, however)
Privacy Rule
BAA Amendments IF
• Existing BAA in place prior to January 25, 2013, and is compliant with Privacy Rule as then in effect, and
• Existing BAA is not renewed or modified between March 26 and September 23, 2013,
THEN that BAA is deemed compliant until earlier of• Date on which BAA is renewed or modified after September
23, 2013, or• September 24, 2014
Copyright 2013 Michigan Health Information Network 10
Security Rule
Security Rule’s administrative, physical, and technical safeguard requirements, as well as the Rule’s policies and procedures and documentation requirements, apply to business associates in the same manner as they apply to covered entities, and BAs will be civilly and criminally liable for violations
It is the BA’s, and not the CE’s, obligation to obtain satisfactory assurances from a subcontractor regarding protection of ePHI
Allows that formerly required but duplicative BAA provisions are no longer required (i.e., those required under each of the Privacy Rule and the Security Rule)
Breach Notification Rule
Unsecured PHI
• Secured PHI = Compliance with valid encryption processes for data at rest consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, and with valid encryption processes for data in motion consistent with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated
Copyright 2013 Michigan Health Information Network 12
Breach Notification Rule, Cont’d
“Breach”
1. Impermissible use or disclosure of PHI is presumed to be a breach unless CE or BA can demonstrate “low probability” that PHI was “compromised” (move away from “risk of harm” standard)
2. CE or BA must conduct a risk assessment to determine if PHI was compromised
Breach Notification Rule, Cont’d
Risk Assessment:
1. Nature and extent of PHI involved (including identifiers/likelihood of re-identification)
2. Consider the recipient (e.g., already under HIPAA obligation?)
3. Was PHI actually acquired or viewed
4. Extent to which risk has been mitigated
Breach Notification Rule, Cont’d
Notification to Individuals
“Discovery”: When CE knew or by exercising reasonable diligence would have been known to any person other than the person committing the breach, who is a workforce member or agent of CE
Timeliness: w/o unreasonable delay, not more than 60 days post-discovery (law enforcement delay exception remains)
Content:• What happened, when, and when discovered• Description of compromised PHI• Steps individuals should take to mitigate effects• Steps CE is taking, plus contact information
Breach Notification Rule, Cont’d
Notification to Media:
Unsecured PHI 500+ affected individuals of any one State Within 60 days of discovery, max “Prominent media outlet” (depends on the market) Press release on a CE website does not meet this
requirement
Breach Notification Rule, Cont’d
Notification to Secretary:
500+ affected individuals (anywhere): “immediate” (meaning at time individual notices are sent)
Less than 500, maintain log and report on HHS website annually, within 60 days of end of year
Notification by a Business Associate:
BA’s knowledge of breach is imputed to CE if the BA is an agent of the CE (meaning CE’s clock starts ticking when BA “discovers”
Otherwise, CE’s clock begins upon notice from BA
Enforcement Rule
Four civil money penalty tiers based on culpability:
Enforcement Rule, Cont’d
“Reasonable cause” (second tier) defined as “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”
Covered entities and business associates are now liable as principals for the acts of business associates (for CEs) or subcontractors (for BAs) acting as agents under Federal common law principles
Copyright 2013 Michigan Health Information Network 19
Enforcement Rule, Cont’d
Bases for Penalty Determinations:
1. Nature and extent of violation
2. Nature and extent of harm
3. History of prior compliance
4. Financial condition of the CE or BA
5. Other matters “as justice requires”
To-Do List: All
1.Print pp. 491 – 562 of the Final Rule and put them in a binder
2.Read them in conjunction with existing HIPAA regulations (which should likewise be in a binder)
To Do List: Covered Entities
1. Update privacy policies (uses and disclosures of PHI)
2. Update compliance plan consistent with Breach Notification Rule changes
3. Examine BA relationships in light of agency liability issues
4. BAA review and revision (including amendments to existing BAAs)
5. Update notice of privacy practices and patient authorization form
6. (Seriously) consider encryption of ePHI if not already done
7. Conduct training
8. Use OCR resources
To Do List: Business Associates
1. Determine if you are a “business associate” (and if not be prepared to defend your case)
2. Evaluate your current operations for compliance with applicable Privacy Rule, Security Rule, and Breach Notification provisions
3. Ensure you have appropriate subcontracts in place and with proper content
4. Conduct training
5. Use OCR resources
Disclaimer
This presentation is informational only. It does not constitute legal or professional advice.
You are encouraged to consult with an attorney if you have specific questions relating to any of the topics covered in this presentation
