hipaa omnibus rule of 2013 posa august 29, 2013 renee h. martin, jd, rn, msn tsoules, sweeney,...

HIPAA Omnibus Rule of 2013POSA

August 29, 2013

Renee H. Martin, JD, RN, MSNTsoules, Sweeney, Martin & Orr, LLC

29 Dowlin Forge RoadExton, PA 19341

Tel.: (610) 423-4200Fax: (610) 423-4201

E-mail: [email protected]

History of HIPAA

1996 - HIPAA enacted

1999 – 2000 - Initial Privacy & Security Regulations Issued

2002 - Final Privacy Rules Issued

2005 - Final Security Rules Issued

2009 - HITECH ACT – Interim Final Rule-Breach Notification

2010 - Enforcement Rules published

2013 - HIPAA Final Omnibus Rule

2Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC 3

Who is covered under HIPAA??

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC4

Who Is Subject to HIPAA?

Covered Entities (direct)

Health plans: insurance companies; HMO Health care clearinghouses (process nonstandard data

elements into standard data elements)

Health care providers who transmit any health information in electronic form in connection with a covered transaction

Business Associates Receive PHI from covered entity Perform a function on its behalf


What is a Business Associate?

A person who, on behalf of a covered entity-- Performs or assists with a function or activity involving

Individually Identifiable Information

Performs certain identified services


Business Associate

Covered Entity

Auditors, Lawyers, Actuaries

Billing Firms

Clearinghouses

Management Firms

Consultants, Vendors

Other Covered Entities

TPAs

Accreditation Organizations


Third Parties and Business Associates (Con’t.)

Covered entities may disclose PHI to a business associate

As necessary to permit the business associate to perform functions and activities on behalf of the covered entity

Business associate cannot use PHI for its own purposes

8

Individually Identifiable Health Information (IIHI)

Health information including demographics that: Is created or received by a health care provider, health plan, or

health care clearing house and Relates to the past, present or future physical or mental health

or condition; the provision of health care; or the past, present or future payment for the provision of health care to an individual that

• Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

9

Protected Health Information (PHI)

Individually identifiable health information that is: Transmitted by electronic media Maintained in any electronic media Transmitted or maintained in any other form

(including oral or written PHI)


PHI and the Medical Record

The HIPAA Privacy Rule defines a Designated record set as follows:

(1) A group of records maintained by or for a covered entity that is: The medical records and billing records about individuals

maintained by or for a covered health care provider; Used, in whole or in part, by or for the covered entity to make

decisions about individuals. (2) the term record means any item, collection, or grouping of

information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.”


11

Privacy Rule Summary

A covered entity may not use or disclose PHI except:

After it gives written Notice about its health information practices to the individual

In accordance with an individual’s written authorization

When requested by the Department of Health and Human Services Office of Civil Rights

12

General Rule: Required Disclosure

To individual upon individual’s request; some exceptions apply

To HHS in connection with its enforcement and compliance review actions


13

General Rule: Permitted Disclosures

Notice of Privacy Practices: Treatment, Payment, Health Care Operations

Authorization

Statutory/Regulatory Disclosures


Scope of the Omnibus Rule

Revised breach notification standard Patient access to information contained in an

electronic health record Regulation of business associates (“BAs”) and

subcontractors Prohibition on “sale” of PHI without

authorization


Scope of the Omnibus Rule

Patients’ right to restrict data sharing with payers

Requirements to modify and redistribute NPP Clarifies and strengthen OCRs role in

enforcement, imposition of civil monetary penalties (CMPs) and CMP liability for acts of Business Associates and subcontractors



Duty to Notify in Case of Breach

HITECH Act: Required Notification of Breach of “Unsecured PHI”

What is a “breach”? “the unauthorized acquisition, access, use, or

disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security or privacy of the PHI”

If definition is met, notification is required

*Applies to both electronic and hard copy information*


Duty to Notify in Case of Breach

What is NOT a “breach”? Determined by:

1. Definition of “breach”

2. Exceptions to definition of a breach


Not a Breach by Definition

Unintentional acquisition, access or use of PHI by a workforce member

or person acting under the authority of a Covered Entity (CE) or Business Associate (BA)

if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted

1818


Not a Breach by Definition

Applies only to “Unsecured PHI”:

If CEs and BAs apply the technologies and methodologies specified in the April 17, 2009 Guidance for PHI, the PHI is “secure” and no notice required.

Per the Guidance,

“Secure PHI” is PHI that is rendered unusable, unreadable or indecipherable to unauthorized individuals (i.e., encrypted or destroyed as detailed in the exhaustive list of technologies and methodologies)

IFR Breach Notification Standard

Interim Final rule (IFR) – CEs/BAs must notify of breaches of unsecured PHI that cause a significant risk of harm to the data subjects Harm includes financial & “other” harm; standard

was controversial Data correctly encrypted per National Institute for

Standards and Technology is not “unsecured PHI”


Omnibus Rule Breach Notification Standard

Definition of “breach” is now changed “Harm” analysis gone An impermissible use or disclosure of PHI is

presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised”

Determining whether or not there is a low probability data has been “compromised” requires analysis of what happened (or may have happened) to the data

Focus now switched to what happened to PHI?


Breach Notification – Risk Assessment

CE/BA should perform risk assessment post-breach discovery and must consider at least the following: Nature and extent of PHI involved, including types

of identifiers and likelihood of re-identification Who was the recipient of the PHI Was the PHI actually acquired or viewed The extent to which the risk to misuse of the PHI

has been mitigated


Breach Notification – Burden of Proof

If no risk assessment performed, the default is notification

Burden of demonstrating low probability that PHI is compromised is on the CE/BA

Decision not to notify must be documented in case of review


Breach Notification – Obligations to Notify

CEs must notify individuals (although can delegate this to BAs)

BAs must notify CEs

Subcontractors must be obligated to notify their contracting partner so the information can go back up the chain


Breach Notification – Examples of Risk Analysis Criteria

Likelihood of identification or re-identification: A list of patient names on practice letterhead – high probability Patient data on your letterhead, patients not specified – can

patients be re-identified? – could be low probability (depends on the circumstances)

Who is the unauthorized recipient: A HIPAA covered entity – low probability, as long as you have

evidence the risk has been mitigated An employer – may be able to use personnel records to re-identify

– not low probability PHI actually acquired or viewed:

Untampered with laptop – low probability Information mailed to wrong person – not low probability

Has improper use been mitigated Satisfactory assurances of destruction from a known person – low

probability


Right to Request Restrictions to Payors

The general rule is that a CE is not required to accept restrictions on the use and disclosure of PHI.

Final Rule created an exception, and requires a CE to agree to a restriction if: the disclosure is for the purpose of carrying out payment

or health care operations and is not otherwise required by law; and

the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the CE in full.


OCR Guidance on Disclosure Restrictions

CEs are not required to create separate medical records or otherwise segregate PHI subject to a restriction.

CEs will need to flag restricted PHI or make a notation in the record that the PHI has been restricted.

CEs are not required to abide by a restriction if an individual’s payment fails/denied/bounces, but they must make a reasonable effort to contact the individual and obtain payment prior to billing a health plan.

Providers within HMO who can’t by law accept payment from individual may counsel to use out-of-network provider

If restriction sought for item of bundled services, counsel patient about ability to and effect of unbundling, and permit patient to pay for entire bundle

CEs need not inform downstream providers of restrictions, but should counsel patients to seek restrictions and pay out of pocket there, too


Individual Right to Access PHI

HIPAA currently requires, with limited exceptions, that individuals have a right to review or obtain copies of their PHI to the extent such information is maintained in a designated record set.

The Final Rule made significant changes to the individual’s right to access their PHI.


Patient Access to Electronic Health Information

If PHI held electronically, individual entitled to an electronic copy if in a “designated record set” (not just the information in an “EHR”)

Must be in the format requested if “readily producible”; if not, in a readable electronic form and format agreed upon by the entity and the individual Not required to buy new software to do this – but must have

capability to provide some electronic copy If individual declines to accept electronic formats entity makes

available, can default to hard copy Not required to accept patient’s device – but can’t require

individuals to purchase a device from you if they don’t want to


Patient Access – Reasonable Safeguards

Must have reasonable safeguards in place to protect transmission of ePHI – but… If an individual wants information by unencrypted e-mail,

entity can send if they advise the individual that such transmission is risky

Can’t force individuals to accept unsecure Not then responsible for breach – document individual

acknowledgement of risk

Omnibus allows 30 days to produce with one, 30 day extension for a total of 60 days-OCR urges entities to make information available sooner when possible

If over 30 days must notify patient in writing and inform why extension is needed


Patient Access – Third Parties, Charges

Individuals can have the copy directed to another person/entity – but the choice must be in writing and clearly identify the individual/entity Information must be protected and entity must

implement reasonable policies and procedures to send it to the right place (e.g., type e-mail correctly)

“In writing” can be electronic Fees charged are restricted to labor costs of

copying– cannot include cost of retrieval, or portion of capital costs

Charge can include supplies provided to individual upon request


Business Associates/Subcontractors

Omnibus rule conforms HIPAA regulations to HITECH Act changes Before HITECH, BAs regulated through business

associate contracts or agreements (“BAAs”) After HITECH, BAs and subcontractors are

regulated directly under HIPAA Must comply with Security Rule (rule is flexible to

accommodate small BAs) Must comply with some of Privacy Rule and provisions of

BAA Still need BAA Agreement


Notice of Privacy Practices (NPP)

NPPs must include:

Statements regarding certain uses and disclosures requiring authorization – e.g., psychotherapy notes (where appropriate), marketing, sales of PHI, right to restrict disclosures to health plans (provider only), and right to be notified of breach; and

General statement that all uses and disclosures not described in NPP also require authorization

New patients get revised by 9/23/13, other patients as they come in to be seen


What the OCR says about Enforcement

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Director OCR

Leon Rodriguez


Enforcement Rule – BAs, Investigations, Reviews

Civil monetary penalties (CMPs) can be assessed directly to business associates

Complaint investigations and compliance reviews Required whenever there is evidence of a possible

HIPAA violation due to willful neglect Discretionary in the absence of possible willful neglect Every complaint will be investigated preliminarily Secretary has discretion to move directly to

imposition of CMPs without informal resolution


Enforcement - Coordination

Secretary may disclose PHI to another agency on request

Coordination of Department of Justice and FTC (http://www.hhs.gov.ocr/enforcement)

Coordination with State Attorneys General to assist with their direct enforcement


Enforcement

Violation –State of Mind

Penalty Range Per Violation

Maximum amount for all such violations of an identical provision in a

calendar year

Did Not Know $100 -- $50,000 $1,500,000

Reasonable Cause $1,000 -- $50,000 $1,500,000

Willful Neglect—

Corrected

$10,000 -- $50,000 $1,500,000

Willful Neglect—

Not Corrected

$50,000 $1,500,000


Enforcement - CMPs

New definition of “Reasonable Cause” to address state of mind: knew it was a violation but without willful neglect

Definition of “willful neglect” retained: “conscious, intentional failure or reckless indifference”


Enforcement – CMPs – Liability for Agents

Note: Workforce members liable for breach under HITECH

CEs and BAs and subcontractors are liable for HIPAA violations of their agents

Fact specific determination: did the principal control or have the right to control or direct the agent’s conduct in performing a contracted service?

The manner and method the principal actually controls the service provided is determinative


Enforcement Rule – Considerations for CMPs

OCR will consider the following: Nature and extent of violation Nature and extent of any physical, financial or

reputational harm The covered entity’s or business associate’s history

of prior noncompliance with statute The financial condition of covered entity or business

associate Other factors as required for justice

Extent of reputational or other harm Time period during which violations occurred Number of individuals affected


Next Steps

Review policies, procedures, forms, and update

Train staff on new provisions

Inventory BAs and update BAAs

Update breach response plan; in particular, update risk assessment and address encryption

Don’t delay


hipaa omnibus rule of 2013 posa august 29, 2013 renee h. martin, jd, rn, msn tsoules, sweeney,...

Documents