HIPAA/HITECH Update - PowerPoint PPT Presentation

1 / 73
About This Presentation
Title:

HIPAA/HITECH Update

Description:

HIPAA/HITECH Update By LYNDA M. JOHNSON Friday, Eldredge & Clark – PowerPoint PPT presentation

Number of Views:258
Avg rating:3.0/5.0
Slides: 74
Provided by: AmberE8
Category:

less

Transcript and Presenter's Notes

Title: HIPAA/HITECH Update


1
HIPAA/HITECH Update
By LYNDA M. JOHNSON Friday, Eldredge Clark
2
HITECH Act Privacy and Security
  • Extended the reach of the HIPAA Privacy and
    Security Rules to business associates (BAs)
  • Imposed breach notification requirements on HIPAA
    covered entities (CEs) and BAs
  • Limited certain uses and disclosures of protected
    health information (PHI)
  • Increased individuals rights with respect to PHI
    maintained in EHRs
  • Increased enforcement of, and penalties for,
    HIPAA violations

3
The HIPAA Omnibus Final Rule
  • On July 14, 2010, HHS published a notice of
    proposed rulemaking (the Proposed Rule) that
    would modify the HIPAA Privacy, Security and
    Enforcement Rules
  • After much delay, HHS published the HIPAA Omnibus
    Final Rule on January 25, 2013
  • Amends the Privacy, Security, Enforcement and
    Breach Notification Rules
  • Also makes conforming changes pursuant to the
    Genetic Information Nondiscrimination Act of 2008
    (GINA)
  • The Final Rule implements the requirements of the
    HITECH Act and largely adopts the Proposed Rule
    without major changes.

4
Compliance Dates
  • Final Rule became effective March 26, 2013
  • Compliance was required by September 23, 2013

5
Business Associates
  • HITECH imposes new privacy and security
    obligations on BAs and personal health record
    companies
  • To increase consumer confidence in EHRs and PHRs,
    companies that provide those products and aid in
    electronic transmission of PHI are subject to
    more direct privacy and security regulation

6
Business Associates Satisfactory Assurances
  • A covered entity may disclose protected health
    information to business associates if it obtains
    satisfactory assurances that business
    associates will appropriately safeguard the
    information
  • Business associate contract required

7
Use and Disclosure Who Is a Business Associate?
  • A person acting on behalf of a covered entity who
  • Creates, receives, maintains or transmits PHI
  • For a function or activity regulated by HIPAA (a
    covered entity function)
  • Provides certain identified services to a covered
    entity

Billing Firms
Lawyers, Actuaries
Outsourcing Vendors
Accountants, Auditors Financial Services
Covered Entity
Clearinghouses
Management Firms
Consultants, Vendors
Accreditation Organizations
  • BAs may also be covered entities
  • This is the Final Rules newly tweaked definition

8
No Business Associate Relationship
  • Workforce
  • Provider and plan
  • Provider and provider for treatment
  • Hospital and medical staff member
  • Group health plan and plan sponsor
  • Financial institutions
  • Due diligence activities
  • Members of organized health care arrangements
  • Conduits (mail services and electronic
    equivalents) that only access PHI on a random or
    infrequent basis

9
The Conduit Exception
  • OCR notes that exception is limited to services
    that transmit PHI
  • Even when there is temporary storage of the
    transmitted data related to the transmission
  • A company that only maintains PHI on behalf of a
    covered entity is a BA, even if the entity does
    not actually view the PHI
  • Examples Data storage company, cloud computing
    provider

10
Expanded Definition of Business Associates
  • Definition of business associate now includes
  • Patient safety organizations under the Patient
    Safety and Quality Improvement Act of 2005
  • Organizations that provide data transmission of
    PHI to a covered entity, such as Health
    Information Organizations and E-prescribing
    Gateways and that require routine access to PHI
  • PHR vendors acting on behalf of a CE
  • Subcontractors to a BA that create, receive,
    maintain or transmit PHI on behalf of a BA

11
BUSINESS ASSOCIATE
Security Rule Compliance
  • Necessary steps for Security Rule compliance
  • Conducting a formal security risk assessment
  • Implementing written policies and procedures with
    respect to Security Rule standards
  • Providing security training to workforce members
  • Amending BAAs to include provisions required by
    the Security Rule and
  • Appointing a Security Officer to oversee Security
    Rule compliance efforts

12
BA Liability
  • BAs may be directly liable for
  • Uses and disclosures of PHI in violation a BAA or
    the Privacy Rule (including more than minimum
    necessary)
  • Failing to comply with the Security Rule
  • Failing to provide breach notification to a CE
  • Failing to disclose PHI to the Secretary of HHS
    to investigate compliance
  • Failing to disclose PHI to comply with an
    individuals request for an electronic copy of
    PHI
  • Failing to contract with subcontractors

13
BA Privacy Rule Compliance
  • Written privacy policies and procedures
    addressing BA privacy obligations are not
    strictly required, but are prudent
  • Addressing minimum necessary standard, storing
    paper PHI, faxing and document destruction
    practices, etc.
  • Given the significant liability risks associated
    with security breaches, a written breach response
    plan tracking HIPAA/HITECH requirements is also
    recommended

14
Subcontractor BAAs
  • Prior to HITECH, BAs were required to ensure
    that a subcontractor agree to the same privacy
    and security obligations that apply to a BA with
    respect to PHI
  • Written agreements between BAs and subcontractors
    are common, but not strictly required
  • Final Rule requires that a BA enter into a
    written agreement with a subcontractor ensuring
    compliance with applicable Privacy and Security
    Rule requirements

15
Subcontractor BAAs (cont.)
  • Obligation to enter into a BAA with a
    subcontractor rests solely with the BA, not the
    CE
  • The form of a downstream subcontractor BAA is
    identical to an upstream BAA between a CE and a
    BA

16
Downstream Business Associate Agreements
Each downstream subcontractor BAA must be at
least as stringent as the primary BAA between a
BA and the CE
17
BAA Transition Period
  • If a BAA compliant with prior HIPAA requirements
    was entered into prior to the publication date of
    the Final Rule (Jan. 25, 2013) AND
  • The BAA is not renewed or modified between March
    26-Sept. 23, 2013 THEN
  • The BAA will be deemed compliant until the
    EARLIER of
  • The date the contract is renewed or modified on
    or after Sept. 23, 2013 OR Sept. 23, 2014

18
BAA Liability
  • Final Rule amends the Enforcement Rule to provide
    that BAs may be directly liable for civil money
    penalties for violations of the Privacy and
    Security Rules
  • BAs will be liable, in accordance with the
    federal common law of agency, for violations
    based upon the acts or omissions of agents
  • Includes workforce members and subcontractors
  • But must be acting within the scope of agency

19
CE Liability Final Rule
  • The Final Rule makes CEs liable for actions of
    BAs acting as agents under the federal common law
    of agency, just as BAs will be liable for actions
    of subcontractor
  • For BAs that are independent contractors,
    rather than agents, CEs will have an
    affirmative defense to these liabilities if they
    can show no willful neglect and timely corrective
    action
  • Hard to apply the agency principle with certainty
    because it requires evaluating the degree of
    control that the CE exercises over the BAs
    conduct

20
When Is a BA an Agent?
  • In commentary to the Final Rule, OCR states that
    the essential factor in determining whether an
    agency relationship exists is the right of the CE
    to control the conduct of the BA in performing
    its services
  • OCR says that the ability of a CE to give interim
    instructions or directions suggests an agency
    relationship

21
When Is a BA an Agent? (cont.)
  • If a BA performs it duties strictly in accordance
    with the terms of its agreement and any change in
    duties requires a contract amendment, then the BA
    is probably not an agent
  • CE can be liable for the actions of an agent BA
    even in the absence of a business associate
    contract

22
Accretive Health Settlement
  • January 2012 Minnesota AG brings enforcement
    action against Accretive Health, Inc., a business
    associate, using authority under HITECH statute
  • Accretive had a laptop stolen containing approx.
    23,500 patients records
  • In capacity as BA to two Minnesota health systems
  • AG sought to use authority under HITECH statute
    in the first such action against at BA

23
The Settlement
  • July 30, 2012 Minnesota AG and Accretive reach
    settlement
  • Accretive ceases doing business in Minn. for two
    years
  • And for the next four years, Accretive can
    reenter state only with permission of AG and
    after entering into a consent decree
  • 2.5 million settlement payment placed in
    restitution fund for patients

24
The Takeaways
  • Some state AGs may take a similarly aggressive
    approach to enforcement and BAs should be
    prepared
  • A formal HIPAA security compliance program is not
    required of a BA today according to OCR
  • But an AG may take a different view
  • An AG HIPAA enforcement action can lead to a more
    wide-ranging investigation and charges under
    state laws
  • In Accretive, this included charges under Minn.
    consumer protection laws over alleged aggressive
    collection practices
  • AGs may interpret HIPAA and HITECH in novel ways
    such as asserting a current, affirmative duty
    of a BA to enter into a BAA

25
HIPAA Pilot Audit Program
  • HITECH required that HHS conduct periodic audits
    to ensure compliance with HIPAA
  • OCR implemented the requirement through a pilot
    program of 115 audits from November 2011 through
    December 2012
  • First wave of audits applied to CEs only
  • BAs will be subject to future audits
  • It will be interesting to see how BAs are
    selected for audit, given the wide variety of
    businesses that qualify as BAs

26
The Rest of the HITECH Story
  • Breach notification standards
  • Penalty structure and enforcement process
  • Business associate requirements
  • Limits on disclosures to health insurers
  • Sale of PHI limits
  • Marketing limits
  • Fundraising limits
  • Genetic info limits (health insurers)
  • Disclosures regarding deceased persons
  • Disclosures for school immunizations
  • New rules re research authorizations
  • Individual rights to electronic PHI
  • Notice of privacy practices requirements

27
Deceased Persons
Protected health information is defined to
exclude information about a person who has been
deceased for more than 50 years.
28
Deceased Persons (cont.)
  • If an individual is deceased, a covered entity
    may disclose PHI about the decedent to a family
    member, relative, close personal friend, or other
    person involved in the decedents healthcare or
    payment for care prior to the decedents death
    if
  • Disclosure is not inconsistent with prior
    expressed wishes of the decedent known to the
    covered entity, and
  • PHI is relevant to the recipients involvement in
    the decedents healthcare or payment for care.

29
Deceased Persons (cont.)
  • Family member means
  • Dependent.
  • Person who is first, second, third or fourth-
    degree to the individual or of a dependent of the
    individual.
  • Applies to both relatives by blood and by
    marriage.
  • Applies to step-relatives as with full relatives.

30
School Immunizations
  • Covered entity may disclose proof of immunization
    to a school if
  • PHI disclosed is limited to proof of
    immunization
  • School is required by state or other law to have
    such proof of immunization prior to admitting the
    individual
  • Covered entity obtains agreement to disclosure
    from either
  • The individual, if emancipated or an adult or
  • A parent, guardian or other person acting in loco
    parentis if the individual is an unemancipated
    minor.
  • Covered entity documents the agreement.

31
Restrictions on Disclosure of PHI to Health
Insurers
  • Covered entity must agree to an individuals
    request to restrict disclosure of PHI to a health
    plan if
  • The PHI pertains solely to a health care item or
    service for which the individual, or another
    person on the individuals behalf, paid the
    covered entity in full and
  • Disclosure is for the purpose of carrying out the
    health plans payment or health care operations
    and is not otherwise required by law.

32
Restrictions on Disclosure of PHI to Health
Insurers (cont.)
  • HHS acknowledged the operational problems with
    the new rule, but concluded providers should
    already have methods to flag records under
    minimum necessary standard.
  • Only applies to disclosures to health plans, not
    others.
  • Does not apply if disclosure is otherwise
    required by law, e.g., Medicare audits, payment
    conditions, etc.

33
Restrictions on Disclosure of PHI to Health
Insurers (cont.)
  • Provider may require payment in full before the
    individual may invoke the requirement.
  • If cannot unbundle, notify individual that they
    must pay entire bill to trigger rule.
  • Individual is responsible for notifying
    downstream providers.

34
Restrictions on Disclosure of PHI to Health
Insurers (cont.)
  • The restriction only applies if the individual
    requests the restriction.
  • Must include a statement advising the individual
    of the restriction in the notice of privacy
    practices, but most individuals dont read the
    notice.
  • Dont ask the individual!

35
Sale of PHI
  • Covered entity or business associate may not sell
    PHI unless
  • They obtain individuals prior written
    authorization, and
  • Authorization discloses that the covered entity
    will receive remuneration in exchange for PHI.
  • Sale of PHI means disclosure of PHI by a
    covered entity or business associate if they
    receive directly or indirectly any remuneration,
    financial or otherwise, from or on behalf of the
    recipient of the PHI in exchange for the PHI.

36
Sale of PHI (cont.)
  • Sale of PHI does not include disclosures
  • To the individual who is the subject of the PHI.
  • For treatment or payment purposes.
  • Required by law.
  • As part of the sale, transfer, merger, or
    consolidation of the covered entity and related
    due diligence.
  • To or by a business associate and the
    remuneration is to pay for the business
    associates activities.
  • For certain public health purposes.
  • For purposes permitted by HIPAA if the only
    remuneration received is a reasonable cost-based
    fee to cover the cost to prepare and transmit the
    PHI for such purposes or a fee otherwise
    expressly permitted by other law.

37
Sale of PHI (cont.)
  • Sale of PHI does not include payments per
    arrangements to perform services where disclosure
    of PHI is a byproduct of the service, e.g.,
  • Grants for program or perform activities.
  • Research studies.
  • Participation in health insurance exchange.
  • Sale of accounts receivable to collection agency.

38
Marketing
  • Covered entity and business associate must obtain
    an authorization for any use or disclosure of PHI
    for marketing.
  • Marketing means a communication about a product
    or service that encourages recipients of the
    communication to purchase or use the product or
    service.

39
Marketing (cont.)
  • If marketing involves financial remuneration to
    the covered entity from a third party, the
    authorization must state that such remuneration
    is involved.
  • Financial remuneration means direct or indirect
    payment by the third party whose product or
    service is being described.

40
Marketing (cont.)
  • Marketing does not include a communication
    made
  • To provide refill reminders or communicate about
    a drug that is currently being prescribed for the
    individual.
  • Any financial remuneration must be reasonably
    related to the cost of making the communication.

41
Marketing (cont.)
  • For the following treatment and health care
    operations purposes unless the covered entity
    receives financial remuneration for the
    communication
  • Treatment, including case management, care
    coordination, or recommend treatment
    alternatives or
  • To describe health related product or service
    provided by the covered entity.

42
Marketing (cont.)
  • No authorization is required for the following
    marketing communications even if financial
    remuneration is received for making the
    communication
  • Face-to-face communication made by a covered
    entity to an individual.
  • Not via telephone, text, internet, fax, etc.
  • A promotional gift of nominal value provided by
    the covered entity.

43
Marketing (cont.)
  • No authorization is required for communications
  • Promoting health in general, not a product or
    service.
  • About government-sponsored programs.

44
Fundraising
  • Subject to certain conditions, a covered entity
    may disclose the following PHI to a business
    associate or institutionally related foundation
    for purpose of raising funds for its own benefit
    without an authorization
  • Name, address, contact info, age, gender and
    birthdate
  • Dates of healthcare provided to the individual
  • Department of service information
  • Treating physician
  • Outcome information and
  • Health insurance status.

45
Fundraising (cont.)
  • To use PHI for fundraising, covered entity
  • Must include statement notifying individual of
    fundraising in covered entitys notice of privacy
    practices.
  • With each fundraising communication, must provide
    clear and conspicuous opportunity to opt out of
    fundraising.
  • Method for opting out cannot cause undue burden
    or more than nominal cost (e.g., toll-free
    number, e-mail).

46
Fundraising (cont.)
  • May not condition treatment or payment on
    participation in fundraising.
  • May not make fundraising communications to
    individuals who opt out.
  • May notify individuals of method to opt back in

47
Research Compound Authorizations
  • May combine authorizations to use or disclose PHI
    for a research study with any other type of
    permission for the same or another research study
    (i.e., may use a compound authorization),
    including
  • Consent to participate in research,
  • Another authorization for the same research
    study, or
  • An authorization for the creation or maintenance
    of a research database or repository.

48
Research Compound Authorizations
If compound authorization conditions treatment on
participation in research, must clearly identify
conditioned components and give individual an
opportunity to opt in to the unconditioned
research activities.
49
Research Authorizing Future Research
  • Research authorization may allow use or
    disclosure of PHI for purposes of future
    research.
  • Authorization purpose need not be limited to
    the current study.
  • This is a change in HHS interpretation.

50
Individual Access to PHI
  • Extension for off-site records is deleted.
  • Covered entities must generally respond to
    request for access within 30 days.
  • May obtain one 30-day extension.

51
Individual Access to PHI (cont.)
  • If PHI is maintained in electronic form and
    individual requests electronic copy of the PHI
  • Covered entity must provide access to the PHI in
    form and format requested by the individual if it
    is readily producible.
  • If PHI is not readily producible in the requested
    form and format, covered entity must provide it
    in a form as agreed by the covered entity and
    individual.

52
Individual Access to PHI (cont.)
  • If covered entity requests that PHI be sent to
    another person, covered entity must comply.
    Request must be in writing, signed by individual
    and clearly identify the recipient.
  • May charge reasonable cost-based fee, including
    labor and supplies for portable media.

53
Notice of Privacy Practices
  • Must add certain items to notice of privacy
    practices.
  • Authorizations are required for most uses and
    disclosures of psychotherapy notes (if
    applicable), marketing purposes, and sale of PHI.
  • Uses and disclosures not described in notice
    require authorizations.
  • Individual may opt out of receiving fundraising
    communications.

54
Notice of Privacy Practices (cont.)
  • Individual may restrict disclosures to health
    insurers if individual pays for the treatment.
  • Covered entity must notify the individual of
    breach of unsecured PHI.
  • For health plans, may not use or disclose genetic
    info for underwriting.

55
Notice of Privacy Practices (cont.)
  • May delete certain items from notice of privacy
    practices.
  • Covered entity may contact individual to provide
    appointment reminders or info about treatment
    alternatives or other health related benefits an
    services that may be of interest to the
    individual.

56
Notice of Privacy Practices (cont.)
  • Changes will require publication of new notice of
    privacy practices.
  • Post new notice in prominent location at
    facility. May post summary if full notice is
    otherwise available to individual without
    individual having to request notice.
  • Post new notice on website.

57
Notice of Privacy Practices (cont.)
  • Provide copy of notice to new individuals.
  • Provide copy of new notice to other individuals
    upon request.
  • Comply with discrimination laws, e.g., may need
    to provide copy in other languages, Braille, etc.
  • New requirements for health plans.

58
Not Included in Final Rule, but Coming soon?
59
Individuals Recovery for Fines and Penalties
  • HITECH Act requires HHS to establish a
    methodology under which an individual who is
    harmed by a violation of the privacy or security
    rules may receive a percentage of any civil
    monetary penalty or monetary settlement collected
    with respect to such offense.
  • Subject to future rulemaking.

60
Accounting of Disclosures for e-PHI
  • HITECH Act requires HHS to issue regulations
    allowing individuals to obtain an accounting of
    disclosures made for purposes of treatment,
    payment and healthcare operations if the
    disclosure is through an electronic health
    record.
  • HHS issued a proposed rule that would entitle
    individuals to obtain a broad report concerning
    those who accessed their PHI or to whom their PHI
    was disclosed.
  • Subject to future rulemaking.

61
Take Aways
62
Omnibus Rule Action Items
  • If you are business associate
  • Make sure you comply with rules, e.g.,
  • Protect PHI consistent with HIPAA rules and
    business associate agreement.
  • Conduct security risk assessment.
  • Implement safeguards required by the Security
    Rule.
  • Notify covered entity of breaches.
  • Enter business associate agreements with
    subcontractors.

63
Omnibus Rule Action Items (cont.)
  • If you are a covered entity, make sure your
    business associate agreements comply.
  • Obtain agreements for new business associates,
    including covered data transmission services.
  • Review existing agreements to ensure they comply
    with operative rules.

64
Omnibus Rule Action Items (cont.)
  • As new agreements are written or renewed, ensure
    they comply with new rules.
  • Ensure all agreements comply by 9/23/14.
  • Ensure business associates are not your agents
    unless you are willing to risk vicarious
    liability.

65
Omnibus Rule Action Items (cont.)
  • Update your notice of privacy practices
  • Compliance Deadline was 9/23/13.
  • Post updated notice and make available to
    individuals.

66
Omnibus Rule Action Items (cont.)
  • Update policies and processes to comply with new
    rules.
  • Restrictions on disclosures to health insurers.
  • Disclosures regarding deceased persons.
  • Marketing, fundraising, and sale of PHI.
  • Individual access to electronic PHI.
  • Breach notification requirements.
  • Train your employees concerning the new rules.

67
Omnibus Rule Action Items (cont.)
  • If you have a potential breach of PHI use new
    low probability that data has been compromised
    standard.
  • Given new rules and breach notification standard,
    it is a good time to review your entire HIPAA
    compliance.

68
Access to Lab Test Reports
On February 6, 2014, CMS published a final rule
that amends the Clinical Laboratory Improvement
Amendments of 1988 (CLIA) regulations to allow
laboratories to give a patient, or a person
designated by the patient, his or her personal
representative, access to the patients
completed test reports upon request of the
patient or the patients personal representative.
69
Access to Lab Test Reports (cont.)
At the same time, this rule eliminates the
exception under the HIPAA Privacy Rule to an
individuals right to access his or her protected
health information when it is held by a
CLIA-certified or CLIA-exempt laboratory.
70
Access to Lab Test Reports (cont.)
While patients can continue to get access to
their laboratory test reports from their doctors,
these changes give patients a new option to
obtain their test reports directly from the
laboratory while maintaining strong protections
for patients privacy.
71
Access to Lab Test Reports (cont.)
Under the HIPAA Privacy Rule, patients, patients
designees and patients personal representatives
can see or be given a copy of the patients
protected health information, including an
electronic copy, with limited exceptions.
72
Access to Lab Test Reports (cont.)
  • In doing so, the patient or the personal
    representative may have to put their request in
    writing and pay for the cost of copying, mailing,
    or electronic media on which the information is
    provided, such as a CD or flash drive. In most
    cases, copies must be given to the patient within
    30 days of his or her request.
  • Published February 6, 2014
  • Compliance Deadline October 6, 2014

73
QUESTIONS
  • Lynda M. Johnson
  • Friday, Eldredge Clark, LLP
  • Ljohnson_at_fridayfirm.com
  • 501-370-1553
Write a Comment
User Comments (0)
About PowerShow.com