overview of the omnibus final hipaa rule kohler healthcare consulting, inc. deanna turner...

Overview of the Omnibus Final HIPAA Rule

Kohler HealthCare Consulting, Inc.Deanna Turner

410.461.5116

2

Goals for Session

Define the statutory timeline and reasons for changes to the final HIPAA (Health Insurance Portability and Accountability Act) RuleProvide an overview of the changes in the final RuleHighlight responsibilities and requirements of expanded pool of Business Associates (BA)Summarize new and expanded individual rightsOutline changes to “Breach Notification”Provide advice on “Next steps”


Background: Statutory Timeline

January 17, 2013: Omnibus Rule announced by the Office of Civil Rights of the U.S. Department of Health and Human Services (HHS)– Largest expansion of the HIPAA privacy, security,

enforcement and breach notification efforts in at least a decade.

March 26, 2013: Effective date of Omnibus Rule (60 days after publication in the Federal Register). September 23, 2013: Date by which covered entities and business associates must comply with the requirements (180 days after the effective date).Now is the time to determine whether these changes will affect your business relationships!

Overview of the Omnibus Final HIPAA Rule 3

4

Background: Why the Changes?

Updates and clarifies obligations that were enacted in February, 2009 by HITECH ActChanges are designed to advance health information technology and incentivize use of electronic health data and informationConsumer-based focus with orientation toward active enforcementMost sweeping changes since the law was first implemented Goal: Improve patient privacy and security protections, and increase penalties for non-compliance


5

Background:What’s Changed?

Expansion of responsibilities, extension of obligations, and increased liability of business associates and covered entities;Tightening of limits on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes;Strengthening of individuals' rights and control over their PHI (access, disclosures);Establishment of new required authorizations for individuals’ PHI information (sale, research, decedent data); Modifications to Notice of Privacy Practices;Lowered “threshold of harm” related to breaches and increased obligations regarding breach notifications; andEnhancement of provisions related to enforcement and penalties for non-compliance


6

Business Associates and Enhanced Requirements

Business Associates (BA) are partners and vendors that perform work on behalf of a covered entity HHS has added the word “maintains” to the previous definition to clarify that entities that store or maintain PHI are business associatesIncludes the HITECH Act-mandated specific inclusion of:– Entities that provide data transmission services

to covered entity; and– a person that offers a personal health record to

one or more individuals on behalf of a covered entity.


7


Entities are Business Associates if they create, receive, handle, maintain, transmit or store PHI, even if they do not actually view the PHI


INCLUDES

Health PlansThird Party AdministratorsE-Prescribing GatewaysBilling CompaniesTechnology VendorsPersonal Health Record Vendors

DOES NOT INCLUDE

Companies that serve as conduits for PHI

Internet service providers Courier services



A subcontractor is defined as a “person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate”.Previously: It was unclear that privacy and security rules added by HITECH extended to subcontractorsNow: Subcontractors are specifically included in the modified definition of “business associate”RESULT: Government has the authority to penalize BOTH business associates and subcontractors!

9

Direct Liability of Covered Entities and Business Associates

Covered entities and business associates are directly liable for violations including:– Compliance with the HIPAA Security Rule’s

administrative, physical and technical safeguards – Impermissible uses and disclosures of PHI and

certain other requirements under the Privacy Rule– Notification of a breach of unsecured PHI– Compliance with documentation requirements

including executing business associate agreements

– Failing to disclose PHI when required to determine business associate’s compliance.


10

Direct Liability of Covered Entities and Business Associates

Both covered entities and business associates are liable for the violations due to the acts or omissions of their agents (subcontractors).- Not all business associates are automatically agents of

covered entities and not all subcontractors are agents of covered entities.

– Liability depends on whether there is an agency relationship and whether the act or omission was within the scope of the agency.

Covered entities and business associates are required to obtain “satisfactory assurances” through execution of agreements with their business associates and subcontractor business associates.


11

Business Associates Obligations

The Omnibus Rule clarified that business associates must:– Comply with the terms of a business associate

agreement related to the use and disclosure of PHI;– Provide PHI to the Secretary upon demand;– Provide an electronic copy of PHI available to an

individual (or covered entity) if an individual requests;– Make reasonable efforts to limit PHI to the minimum

necessary to accomplish the intended purpose of the use, disclosure, or request; and

– Enter into business associate agreements with subcontractors that create or receive PHI on their behalf.



Expanded Individual Rights: Use of PHI

Tightened limitations on use and disclosure of PHI for marketing purposesRequires covered entities to obtain authorization from individuals if covered entity receives payment for producing or distributing materialsCommunications allowed without authorization but recipient must “opt out”:– Case Management– Care Coordination– Therapies– Alternative Treatments or Providers– Prescription reminders (as long as remuneration is

limited to reasonable costs)


Expanded Individual Rights: Sale of PHI

Sale of PHI is prohibited without individual authorization unless:– Used by a public health agency for treatment

and payment; OR– Other allowed disclosures such as normal

disclosures to business associatesAuthorization must be worded clearly so that individuals can make informed decisionsAuthorization must include the fact that covered entity will receive payment for disclosures


Expanded Individual Rights: Patient Requests for PHI

Individuals can request that a covered entity provide electronic copies of their health informationCovered entities that maintain electronic records must provide PHI in the format requested by the individual if readily producibleIf not readily producible, the information must be provided in a readable electronic format agreed to by both the covered entity and the individualCovered entities may not charge more than the cost of labor and materials required to provide the electronic records


Expanded Individual Rights: Patient Requests for Restrictions on Disclosures

Individuals can request that a covered entity not disclose to the individual’s health plan information concerning treatment for which the provider has been paid out-of-pocket in fullPrior: Covered entities were not required to agree to such a requestNow: Covered entities will need to employ some method to flag the individual’s record with respect to PHI that has been restricted to ensure that such information is not inadvertently sent or made accessible to the health plan

16

Expanded Individual Rights:Use of PHI for Research

Created simplified and streamlined process of gaining individual authorizations for use of PHIPrior: Researchers were obligated to ask for permission for each distinct use of PHI– Added unnecessary complexity and confusion to

process of obtaining consentNow: Covered entities can ask individuals to consent to share PHI for a particular research study and, by extension use the consent for related research purposes – Example: Obtain consent to share PHI and also use same

consent for creation of a database to store and allow for querying of information



Expanded Individual Rights:Use of Genetic Information

Enhanced privacy protections for genetic information– Required by Genetic Information

Nondiscrimination ActClarifies that genetic information is considered health information for purposes of HIPAAProhibits health plans from using or disclosing genetic information that can be used for underwriting purposes– Exception: Issuers of long-term care policies

Insurers must communicate this to consumers in Notice of Privacy Practices


Expanded Individual Rights:Privacy Practices

Covered entities must modify and redistribute Notices of Privacy Practices (NPPs) to include announcements regarding new privacy practicesRevised NPPS must include:– New authorization requirements around the sale

and marketing of PHI– Breach notification responsibilities of the covered

entity– Right to “opt out” of fundraising and marketing

communications– Right of patients to be able to request disclosure

restrictions on out-of-pocket payments to providers

19

Data Breaches by the Numbers

94% of healthcare organizations suffered a data breach in past two years – Of those, 45% suffered more than 5 such

incidentsAverage economic impact of data breach in 2011 and 2012 for healthcare organizations was $2.4 million– $400,000 greater than 2010– Aggregate annual cost: $7 billion

Average number of lost or stolen records per breach: 2,769And these numbers are going to increase with the new changes……


“Third Annual Benchmark Study on Patient Privacy and Data Security”, ID Experts Corp, 2012

20

Changes to the Breach Notification Framework

The HITECH Act of 2009 established a statutory requirement for breach notification Notification was required when more than 500 individuals were affected.Breach = “the acquisition, access, use, or disclosure of PHI in a manner not permitted which compromises the security or privacy of the protected health information.” Compromises = “poses a significant risk of financial, reputations, or other harm to the individual


21


Burden of proof regarding breaches has now shifted “Threshold of harm” has been loweredIt is now presumed that any acquisition, access, use or disclosure of PHI not permitted under the HIPAA Privacy Rule is a breach, regardless of individuals affected.Exception: If a covered entity or business associate can demonstrate that “there is a low probability that the [PHI] has been compromised based on a risk assessment”



Business associates that experience a breach must provide notice of unsecured PHI to its covered entity “without reasonable delay and in no case later than 60 days following the discovery of the breach”Incidents that may not have been considered serious risks in the past will now need to be reported to the affected individuals and the Office of Civil Rights (OCR)New threshold is stricter but intended to be more objective and easier to interpret and apply

22Overview of the Omnibus Final HIPAA Rule

23

Breach Notification - Risk Assessment

Risk assessment can be used to demonstrate that there is a low probability that PHI has been compromisedRisk Assessment must include consideration of the following factors:– The nature and extent of the PHI involved, including the

types of identifiers and the likelihood of re-identification;

– The unauthorized person who used the PHI or to whom the disclosure was made;

– Whether the PHI was actually acquired or viewed; and– The extent to which the risk to the PHI has been

mitigated.


24

Breach Notification

Prepare your organization to minimize your risk of breach!!

HHS stated in the Omnibus Rule that it will issue future guidance on risk assessments associated with breaches, however no time line was given.

Organizations should begin by focusing on identifying gaps in compliance that led to past incidents and closing those gaps.



Enhanced Enforcement

Final rule solidifies and enhances provisions related to:– Compliance reviews and investigations– Imposition of civil monetary penalties– Procedures for hearings

Maximum penalty for noncompliance due to negligence has also been increased to $1.5 million per violationRequires HHS Secretary to conduct a compliance review whenever a preliminary review of a complaint indicates a possible violation of an organization (covered entity or business associate) due to willful neglectHHS has leeway in deciding amount of fine and can base decision contributing factors (e.g. past complaints, nature of harm, etc.)


Enhanced Enforcement: Penalties

Criteria for Determining Penalty

Minimum Penalty (Per Violation Cap)

Maximum Penalty (Per Violation Cap)

Violator did not know and could not have been expected to know

$100/$25,000

$50,000/$1,500,000.

There was “reasonable cause” and no “willful neglect”

$1,000/$100,000

$50,000/$1,500,000.

There was “willful neglect” and violation was corrected

$10,000/$250,000

$50,000/$1,500,000.

There was “willful neglect” and violation was not corrected

$50,000/$1,500,000.

No specified maximum

Next Steps for Covered Entities and Business Associates

Gap Analysis – Conduct a gap analysis between current policies and

procedures and the new requirements• determine what changes are needed, • implement those changes as soon as reasonably

possible. – Identify and document business associates under the

new definition, – Business associates should identify and document their

subcontractors• confirm business associate agreement obligations

and exposure to liability for noncompliance

27Overview of the Omnibus Final HIPAA Rule

28


Business Associates – Create a separate set of policies and procedures to

comply with these new rules. – Business associates are not required to have their own

privacy policies and procedures or train their workforce on privacy rules, but it is strongly recommended.

– Business associates that discover a breach must report it to the covered entity, and a subcontractor must report a breach to a business associate.

– Ultimately, the covered entity has the obligation to notify affected individuals of a breach, even if the breach occurred under the business associate, and even if the responsibility to notify has been delegated to the business associate.


29


Breach Notification – Organizations should review and revise their breach

notification policies, procedures and breach response plans.

– Covered entities are required to notify all affected individuals as soon as possible. • 60 days is the outer limit• OCR treats a breach as “discovered” when the entity

becomes aware of the breach, or• Should have gained knowledge of the breach through

due diligence. – The “discovery” standard applies to employees and

agents of the covered entities, including business associates.


30


Workforce Training – Provide additional training and awareness

communications to personnel about the new requirements.

– Plan a training session with all personnel sometime in the near future, preferably before or near the March 26, 2013 effective date of the Omnibus Rule.

– Establish a way to monitor compliance by Business Associates and risks on an ongoing basis, enabling quick identification and mitigation of problems.


31


Review and Amend Business Associate Agreements – update policies and procedures, – review and, if needed, amend existing business

associate agreements to comply with the new requirements.

OCR recently posted sample business associate agreement provisions on its website:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

– The language may also be adapted for a contract between a business associate and its subcontractor.

– The template provisions are a helpful starting point, but additional revisions are advisable, such as detail regarding mitigation in the event of a breach.


32


Revise and distribute new notices of privacy practices to individuals informing recipients of the following:– the new prohibition against health plans using or disclosing

genetic information for underwriting purposes; – the prohibition on the sale of protected health information

without express written authorization of the individual, including other uses and disclosures such as marketing and disclosure of psychotherapy notes;

– the duty of a covered entity to notify affected individuals of a breach;

– the individual’s right to opt out of receiving fundraising communications; and

– the individual’s right to restrict disclosures of protected health information to a health plan where the individual paid out of pocket in full.


Questions?????


overview of the omnibus final hipaa rule kohler healthcare consulting, inc. deanna turner...

Documents

hipaa privacy

effective date of omnibus

store phi

department of health

phi access

business associatesincludes

business relationships

health information technology