Navigating HIPAA

1
Navigating HIPAA Recent Healthcare Reform

• What You Need to Know

2
What is HIPAA?

• The Health Insurance Portability and
  Accountability Act of 1996 (HIPAA), Public Law
  104-191, was enacted on August 21, 1996.
• HIPAA is federal legislation designed to improve
  the efficiency of the healthcare system and to
  protect the security privacy of a patients
  health information

3
What Does HIPAA Do?

• Gives patients more control over their health
  information
• Sets boundaries on the use and release of patient
  information
• Establishes that covered entities and their
  business associates must have appropriate
  safeguards to protect the privacy and security of
  PHI
• Limits release of PHI to the minimum reasonably
  needed for the purpose of the disclosure
• Holds violators accountable with civil and
  criminal penalties

4
Who Needs to Comply?

• HIPAA applies to covered entities.
• A covered entity is
• A health plan.
• A health care clearinghouse.
• A health care provider that transmits health
  information in electronic form in connection with
  health care transactions.
• Examples doctors, clinics, psychologists,
  dentists, chiropractors, nursing homes, health
  insurance companies, HMOs and Company health
  plans

5
What does HIPAA Protect?

• The Privacy Rule protects all individually
  identifiable health information held or
  transmitted by a covered entity or its business
  associate, in any form or media, whether
  electronic, paper, or oral.
• Individually identifiable health information is
  information that
• is created or received by a covered entity
• relates to the past, present, or future physical
  or mental health or condition of an individual
  the provision of health care to an individual or
  the past, present, or future payment for the
  provision of health care to an individual
• identifies the individual or there is a
  reasonable basis to believe the information can
  be used to identify the individual.
• The Privacy Rule calls this information
  protected health information or PHI.

6
Examples of PHI

• Medical Records
• Billing Information
• Insurance Forms
• Authorizations and Notices
• Conversations with covered entity about PHI

• Prescriptions
• Patient Charts
• Patient Registry
• Correspondence about a patient
• Medical Records Summaries
• Correspondence discussing PHI

7
General Rules for Disclosure

• The privacy rule governs how a covered entity may
  disclose PHI to persons outside of the covered
  entity.
• HIPAA prohibits covered entities from disclosing
  PHI without a patients authorization unless an
  exception exists.

8
Permitted Uses and Disclosures

• A covered entity is permitted, but not required,
  to use and disclose PHI, without an individuals
  authorization, for the following purposes or
  situations
• To the Individual (unless required for access or
  accounting of disclosures)
• Treatment, Payment, and Health Care Operations
• Opportunity to Agree or Object (i.e., Facility
  Directories)
• Incident to an otherwise permitted use and
  disclosure
• Public Interest and Benefit Activities (i.e.,
  Required by Law, Judicial and Administrative
  Proceedings, Law Enforcement) and
• Limited Data Set for the purposes of research,
  public health or health care operations

9
Authorized Uses and Disclosures

• A covered entity must obtain the individuals
  written authorization for any use or disclosure
  of PHI that is not for treatment, payment or
  health care operations or otherwise permitted or
  required by the Privacy Rule. Examples include
  Psychotherapy Notes and Marketing.
• A covered entity may not condition treatment,
  payment, enrollment, or benefits eligibility on
  an individual granting an authorization, except
  in limited circumstances.
• An authorization must be written in specific
  terms.

10
Privacy Practices Notice

• Each covered entity, with certain exceptions,
  must provide a notice of its privacy practices.
• The Privacy Rule requires that the notice contain
  certain elements.

11
Other Individual Rights

• Access. Except in certain circumstances,
  individuals have the right to review and obtain a
  copy of their PHI in a covered entitys
  designated record set.
• Amendment. The Rule gives individuals the right
  to have covered entities amend their PHI in a
  designated record set when that information is
  inaccurate or incomplete.
• Disclosure Accounting. Individuals have a right
  to an accounting of the disclosures of their PHI
  by a covered entity or the covered entitys
  business associates.

12
Business Associates

• In general, a business associate is a person or
  organization, other than a member of a covered
  entitys workforce, that performs certain
  functions or activities on behalf of, or provides
  certain services to, a covered entity that
  involve the use or disclosure of individually
  identifiable health information.
• Business associate functions or activities on
  behalf of a covered entity include claims
  processing, data analysis, utilization review,
  and billing.
• Business associate services to a covered entity
  are limited to legal, actuarial, accounting,
  consulting, data aggregation, management,
  administrative, accreditation, or financial
  services.

13
Business Associate Agreement

• There must be a contract between the covered
  entity and the business associates.
• There are specific requirements that must be
  included in business associate agreements.

14
Enforcement and Penalties for Noncompliance

• Civil Monetary Penalties
• Criminal Penalties

15
Health Care Reform

• The American Recovery and Reinvestment Act of
  2009 signed into law on February 17, 2009.
• Enactment of Health Information Technology for
  Economic and Clinical Health (HITECH) Act

16
Definition of Breach

• Breach means the acquisition, access, use, or
  disclosure of PHI in a manner not permitted under
  the HIPPA Privacy Rule which compromises the
  security or privacy of the PHI.
• Compromises the security or privacy of the PHI
  means poses a significant risk of financial,
  reputational, or other harm to the individual.
• A use or disclosure of PHI that does not include
  the 16 direct identifiers (limited data set),
  date of birth, and zip code does not compromise
  the security or privacy of the PHI.

17
Significant Risk of Harm

• Who Impermissibly used or to whom the information
  was impermissibly disclosed
• Type of PHI involved
• Number of Individuals Affected
• Likelihood the Information is Accessible and
  Usable
• Likelihood the Breach May Lead to Harm
• Broad Reach of Potential Harm
• Likelihood Harm Will Occur
• Ability to Mitigate the Risk of Harm

18
Breach excludes . . .

• Any unintentional acquisition, access, or use of
  PHI by a workforce member or person acting under
  the authority of a covered entity or a business
  associate, if such acquisition, access, or use
  was made in good faith and within the scope of
  authority and does not result in further use or
  disclosure in a manner not permitted under the
  Privacy Rule.
• Any inadvertent disclosure by a person who is
  authorized to access PHI at a covered entity or
  business associate to another person authorized
  to access PHI at the same covered entity or
  business associate, or organized health care
  arrangement in which the covered entity
  participates, and the information received as a
  result of such disclosure is not further used or
  disclosed in a manner not permitted under the
  Privacy Rule.
• A disclosure of PHI where a covered entity or
  business associate has a good faith belief that
  an unauthorized person to whom the disclosure was
  made would not reasonably have been able to
  retain such information.

19
Notification of Breach

• A covered entity shall, following the discovery
  of a breach of unsecured PHI, notify each
  individual whose unsecured PHI has been, or is
  reasonably believed by the covered entity to have
  been, accessed, acquired, used, or disclosed as a
  result of such breach.
• Content Requirements.

20
Definition of Unsecured PHI

• Unsecured PHI means PHI that is not rendered
  unusable, unreadable, or indecipherable to
  unauthorized individuals through the use of a
  technology or methodology specified by the
  Secretary.
• Unsecured PHI can include information in any form
  or medium, including electronic, paper, or oral
  form.

21
Discovery of Breach

• A breach shall be treated as discovered by a
  covered entity as of the first day on which such
  breach is known to the covered entity, or, by
  exercising reasonable diligence would have been
  known to the covered entity.
• A covered entity shall be deemed to have
  knowledge of a breach if such breach is known, or
  by exercising reasonable diligence would have
  been known, to any person, other than the person
  committing the breach, who is a workforce member
  or agent of the covered entity.

22
Timing of Notice

• All required notifications shall be made without
  unreasonable delay and in no case later than 60
  days after the discovery of a breach by the
  covered entity involved.
• Exception Notification shall be delayed if a
  law enforcement official determines that the
  required notification would impede a criminal
  investigation or cause damage to national
  security.

23
Methods of Notice

• Individual notice. Written notification must be
  provide by first class mail to the individual, or
  next of kin or personal representative, if the
  individual is deceased, at the last known
  address.
• Email notification possible.
• Other methods of notification if emergency or
  covered entity does not have sufficient contact
  information.
• Media notice. For a breach of unsecured PHI
  involving more than 500 individuals in a State or
  jurisdiction, a covered entity notify prominent
  media outlets in the State or jurisdiction.

24
Duty to Notify Secretary

• A covered entity shall, following the discovery
  of a breach of unsecured PHI.
• For breaches involving 500 or more individuals,
  than such notice must be provided
  contemporaneously with notification to
  individuals.
• For breaches involving less than 500 individuals,
  a covered entity shall maintain a log or other
  documentation of such breaches and, not later
  than 60 days after the end of each year, submit
  such log to the Secretary.
• http//transparency.cit.nih.gov/breach/index.cfm

25
Duty to Notify Secretary
26
Posting on HHS Website

• Secretary will post a list on the HHS website
  that identifies each covered entity involved in a
  breach in which the unsecured PHI of more than
  500 individuals is acquired or disclosed.
• http//www.hhs.gov/ocr/privacy/hipaa/administrativ
  e/breachnotificationrule/postedbreaches.html

27
Posting on HHS Website
28
Notice by Business Associate

• A business associate shall, following the
  discovery of a breach of unsecured PHI, notify
  the covered entity of such breach.
• If BA is an agent of covered entity, then the
  BAs discovery of the breach will be imputed to
  the covered entity.

29
Documentation

• In the event of a use or disclosure in violation
  of the HIPAA Privacy Rule, the covered entity or
  business associate, as applicable, shall have the
  burden of demonstrating that all notifications
  were made as required or that the use or
  disclosure did not constitute a breach.

30
Restricted Disclosures

• In the case that an individual requests that a
  covered entity restrict the disclosure of the
  PHI, the covered entity must comply with the
  requested restriction if
• the disclosure is to a health plan for purposes
  of carrying out payment or health care operations
  (and is not for purposes of carrying out
  treatment or required to be disclosed by law)
  and
• the PHI pertains solely to a health care item or
  service for which the health care provider has
  been fully paid out of pocket.

31
Minimum Necessary

• When using or disclosing PHI or when requesting
  PHI from another covered entity, a covered entity
  must make reasonable efforts to limit PHI to the
  minimum necessary to accomplish the intended
  purpose of the use, disclosure, or request.
• A covered entity shall be in compliance with this
  requirement if the covered entity limits the use,
  disclosure or request of PHI, to the extent
  practicable
• To a limited data set, or
• if needed by the covered entity, to the minimum
  necessary to accomplish the intended purpose of
  the use, disclosure, or request.
• By August 18, 2010, the Secretary will issue
  guidance on what constitutes minimum necessary.
• The covered entity disclosing such information
  shall determine what constitutes the minimum
  necessary to accomplish the intended purpose of
  such disclosure.

32
Minimum Necessary Cont.

• The minimum necessary requirement is not imposed
  in any of the following circumstances
• Disclosure to or a request by a health care
  provider for treatment
• Use or disclosure made to the individual, or the
  individuals personal representative
• Use or disclosure made pursuant to an
  authorization
• Disclosure to HHS for complaint investigation,
  compliance review or enforcement
• Use or disclosure that is required by law or
• Use or disclosure required to comply with HIPAA.

33
Accounting of PHI Disclosures

• If a covered entity uses or maintains electronic
  health records with respect to PHI, then an
  individual has a right to receive an accounting
  of disclosures of PHI through the EHR made by a
  covered entity to carry out treatment, payment
  and health care operations for only three years
  prior to the date of request.

34
Accounting of PHI Disclosures

• OCR published a request for information seeking
  comments to help better understand the interests
  of individuals with respect to learning of such
  disclosures, the administrative burden on covered
  entities and business associates of accounting
  for such disclosures, and other information that
  may inform the Departments rulemaking in this
  area.
• What are the benefits to the individual of an
  accounting of disclosures, particularly of
  disclosures made for treatment, payment, and
  health care operations purposes?
• If you are a covered entity, how do you make
  clear to individuals their right to receive an
  accounting of disclosures? How many requests for
  an accounting have you received from individuals?

35
(No Transcript)
36
Accounting Request

• A covered entity may provide the individual
  either an
• Accounting for disclosures that are made by
  covered entity and by a business associate acting
  on behalf of the covered entity or
• Accounting for disclosures that are made by
  covered entity and provide a list of all business
  associates acting on behalf of the covered
  entity.
• A business associate included on a list must
  provide an accounting of disclosures made by the
  business associate to the individual.

37
Accounting of PHI Disclosures

• Effective date of new rules
• Covered entity that acquires EHR before January
  1, 2009 January 1, 2014.
• Covered entity that acquires EHR after January 1,
  2009 The later of January 1, 2011 or the date
  that the covered entity acquires the EHR.
• Secretary may set a later effective date.

38
Sale of EHR or PHI

• A covered entity or business associate may not
  receive payment (directly or indirectly) in
  exchange for an individuals PHI unless the
  covered entity obtains an authorization that
  specifies that the PHI can be further exchanged
  for payment by the receiving entity.
• Authorization is not required if the purpose of
  the exchange is for
• Public health activities
• Research and the price charged reflects the costs
  of preparation and transmittal of the data for
  such purpose
• Treatment of the individual, subject to any
  regulation that the Secretary may promulgate to
  prevent PHI from inappropriate access, use, or
  disclosure
• Health care operations
• Payment that is provided by a covered entity to a
  business associate for activities involving the
  exchange of PHI that the business associate
  undertakes on behalf of and at the specific
  request of the covered entity pursuant to a
  business associate agreement
• Providing an individual with a copy of the
  individuals PHI
• Any other purpose determined by the Secretary in
  regulations

39
Individual Access to PHI

• If a covered entity uses or maintains an
  electronic health record with respect to PHI, the
  individual shall have a right to obtain from the
  covered entity a copy of the information in an
  electronic format and, if the individual chooses,
  to direct the covered entity to transmit such
  copy directly to an entity or person designated
  by the individual, provided that any such choice
  is clear, conspicuous, and specific.
• Any fee that the covered entity may impose for
  providing such individual with a copy of such
  information in an electronic form shall not be
  greater than the entitys labor costs in
  responding to the request for the copy.

40
Marketing

• A covered entity must obtain an authorization for
  marketing purposes.
• Marketing is defined as a communication about a
  product or service that encourages recipients of
  the communication to purchase or use the product
  or service.
• The following types of communications are not
  considered marketing (Marketing Exceptions)
• Description of a health-related product or
  service that is provided by, or included in a
  plan of benefits of the covered entity making the
  communication
• Communication made for treatment of the
  individual or
• Information for case management or care
  coordination for the individual, or to recommend
  alternative treatments, therapies, health care
  providers, or settings.

41
Marketing Communications Cont.

• A communication by a covered entity or business
  associate as described in one of the Marketing
  Exceptions shall be considered marketing if the
  covered entity receives or has received direct or
  indirect payment in exchange for making such
  communication, except where such communication
• Describes only a drug or biologic that is
  currently being prescribed for the recipient of
  the communication and any payment received by
  such covered entity in exchange for making a
  communication is reasonable in amount
• Is made by the covered entity and the covered
  entity obtains a valid authorization with respect
  to such communication or
• Is made by a business associate on behalf of the
  covered entity and the communication is
  consistent with the written contract between such
  business associate and covered entity.

42
Fundraising

• The Secretary shall issue a rule providing that
  any written fundraising communication must, in a
  clear and conspicuous manner, provide an
  opportunity for the recipient of the
  communications to elect not to receive any
  further such communication.
• When an individual elects not to receive any
  further such communication, such election shall
  be treated as a revocation of authorization to
  use or disclose such individuals PHI.

43
Education

• By August 18, 2009, the Secretary shall designate
  an individual in each regional office of HHS to
  offer guidance and education to covered entities,
  business associates, and individuals on their
  rights and responsibilities related to Federal
  privacy and security requirements for PHI.
• By February 18, 2010, the HHS Office for Civil
  Rights shall develop and maintain a multi-faceted
  national education initiative to enhance public
  transparency regarding the uses of PHI, including
  programs to educate individuals about the
  potential uses of their PHI, the effects of such
  uses, and the rights of individuals with respect
  to such uses.

44
Education Cont.

• For the first year beginning after the date of
  the enactment of this Act and annually
  thereafter, the Secretary is responsible for
  issuing annual guidance on the provisions in the
  HIPAA Security Rule.
• HIPAA Security Standards Guidance on Risk
  Analysis May 7, 2010
• http//www.hhs.gov/ocr/privacy/hipaa/administrati
  ve/securityrule/radraftguidance.pdf

45
Enforcement - Wrongful Disclosure Criminal
Penalties

• A person (including an employee or other
  individual) shall be considered to have obtained
  or disclosed individually identifiable health
  information in violation of HIPAA if the
  information is maintained by a covered entity and
  the individual obtained or disclosed such
  information without authorization.
• A person in violation of this section shall
• be fined not more than 50,000, imprisoned not
  more than 1 year, or both
• if the offense is committed under false
  pretenses, be fined not more than 100,000,
  imprisoned not more than 5 years, or both and
• if the offense is committed with intent to sell,
  transfer, or use individually identifiable health
  information for commercial advantage, personal
  gain, or malicious harm, be fined not more than
  250,000, imprisoned not more than 10 years, or
  both.

46
Enforcement - Required Penalty and Investigation

• The Secretary is now required to impose a civil
  penalty for a HIPAA violation (up to 100 for
  each violation) due to willful neglect.
• The Secretary shall formally investigate any
  complaint of a HIPAA violation if a preliminary
  investigation of the facts of the complaint
  indicate a possible violation due to willful
  neglect.
• Any HIPAA violation by a covered entity will now
  be subject to criminal and civil penalties for
  each violation.
• Penalties are effective on or after February 18,
  2011.
• Within 18 months after the enactment date, the
  Secretary shall promulgate regulations to
  implement these requirements.

47
Enforcement -Civil Penalties

• Effective for violations on or after February
  18, 2009.

48
Enforcement -Civil Penalties

• If the covered entity did not know and, by
  exercising reasonable diligence, would not have
  known that the covered entity violated such
  provision,
• In the amount of less than 100 or more than
  50,000 for each violation or
• In excess of 1,500,000 for identical violations
  during a calendar year
• If the violation was due to reasonable cause and
  not to willful neglect,
• In the amount of less than 1,000 or more than
  50,000 for each violation or
• In excess of 1,500,000 for identical violations
  during a calendar year

49
Enforcement -Civil Penalties Cont.

• If the violation was due to willful neglect and
  was corrected during the 30-day period beginning
  on the first date the covered entity liable for
  the penalty knew, or, by exercising reasonable
  diligence, would have known that the violation
  occurred,
• In the amount of less than 10,000 or more than
  50,000 for each violation or
• In excess of 1,500,000 for identical violations
  during a calendar year
• If the violation was due to willful neglect and
  was not corrected during the 30-day period
  beginning on the first date the covered entity
  liable for the penalty knew, or, by exercising
  reasonable diligence, would have known that the
  violation occurred,
• In the amount of less than 50,000 for each
  violation or
• In excess of 1,500,000 for identical violations
  during a calendar year

50
Enforcement -Civil Penalties Cont.

• The Secretary may not impose a civil money
  penalty on a covered entity for a violation if
  the covered entity establishes that an
  affirmative defense exists with respect to the
  violations, including the following
• The violation is an a Wrongful Disclosure
  Criminal Act or
• The covered entity establishes to the
  satisfaction of the Secretary that the violation
  is not due to willful neglect and corrected
  during either
• The 30-day period beginning on the first date the
  covered entity liable for the penalty knew, or,
  by exercising reasonable diligence, would have
  known that the violation occurred or
• Such additional period as the Secretary
  determines to be appropriate based on the nature
  and extent of the failure to comply.

51
Enforcement Definitions

• Reasonable cause means circumstances that would
  make it unreasonable for the covered entity,
  despite the exercise of ordinary business care
  and prudence, to comply with the administrative
  simplification provision violated.
• Reasonable diligence means the business care and
  prudence expected from a person seeking to
  satisfy a legal requirement under similar
  circumstances.
• Willful neglect means conscious, intentional
  failure or reckless indifference to the
  obligation to comply with the administrative
  simplification provision violated.

52
Enforcement
53
State Attorneys General

• If a State attorney general has reason to believe
  that an interest of one or more of the States
  residents has been or is threatened or adversely
  affected by any person who violates HIPAA, may
  bring a civil action on behalf of such State
  residents in a US district court
• to enjoin further such violation by the
  defendant or
• to obtain damages on behalf of such States
  residents.
• The amount of damages shall be determined by
  multiplying the number of violations by up to
  100.
• In the case of a continuing violation, the number
  of violations shall be determined consistent with
  the HIPAA privacy regulations.
• The total amount of damages for all violations of
  an identical requirement or prohibition during a
  year may not exceed 25,000.
• In the case of any successful action, the court
  may award the costs of the action and reasonable
  attorney fees to the State.

54
State Attorneys General
55
Audits

• The Secretary shall conduct periodic audits to
  ensure that covered entities and business
  associates comply with HIPAAs privacy and
  security rules.

56
Business Associates

• Under HITECH, business associates are now
  required by law to comply with the business
  associate requirements provided under HIPAA.
• Business Associates are now required to comply
  with Administrative, Physical and Technical
  safeguards along with the Policies and procedures
  and documentation requirements, in the same
  manner that such sections apply to the covered
  entity.
• Business Associates are required to comply with
  any additional requirements of the HITECH Act
  that relate to security and that are made
  applicable with respect to covered entities.
• These additional requirements of the HITECH Act
  shall be incorporated into the business associate
  agreement between the business associate and the
  covered entity.
• Business Associates are now subject to the same
  criminal and civil penalties applicable to a
  covered entity that violates such security
  provision.

57
HHS Rulemaking

• On March 15, 2010, OCR stated that it continues
  to work on a Notice of Proposed Rulemaking
  (NPRM) regarding the following provisions
• Business associate liability
• New limitations on the sale of PHI, marketing,
  and fundraising communications and
• Stronger individual rights to access electronic
  medical records and restrict the disclosure of
  certain information.
• Interim final rules implementing HITECH Act
  provisions in two areas have already been issued
  and are currently in effect enforcement and
  breach notification.

58
Timeline
59
PPACA

• The Patient Protection and Affordable Care Act
  (PPACA) is a federal statute that was signed
  into law on March 23, 2010 along with the Health
  Care and Education Reconciliation Act of 2010.

60
Administrative Simplification

• Section 1104 of the Act amends HIPAAs
  administrative simplification provisions by
  requiring the Secretary to adopt uniform
  standards for health care transactions which
• Enable determination of individuals eligibility
  and financial responsibility prior to or at point
  of care
• Minimize the need for paper attachments to claims
  submissions
• Provide for timely acknowledgment, response and
  status reporting
• Describe all data elements (including reason and
  remark codes) in unambiguous terms, require that
  such data elements be required or conditioned
  upon set values in other fields, and prohibit
  additional conditions.

61
HIPAA Compliance

• States that participate under Wellness Program
  Demonstration Projects shall ensure that consumer
  data is protected in accordance with HIPAA
• School-Based Health Centers must comply with
  regulations promulgated under HIPAA
• Any federally conducted or supported health care
  or public health program activity or survey
  collected by Secretary is protected under HIPAA
• Secretary shall ensure compliance with HIPAA in
  pursuing activities under Elder Justice
• Secretary shall ensure that the Congenital Heart
  Disease Surveillance System complies with HIPAA
• Enhances subpoena authority under HIPAA