HIPAA Update

1
HIPAA Update Significant Omnibus Rule Changes

• Rose Willis
• Billee Lightvoet Ward
• Dickinson Wright PLLC

2
HIPAA OMNIBUS RULE

• Timeline
• Published January 25, 2013
• Effective Date March 26, 2013
• Compliance Date September 23, 2013
• Transition Period September 23, 2014
• omnibus adjective containing or including many
  items
• Privacy Rule
• Security Rule
• Breach Notification Rule
• Enforcement Rule
• omnibus. Merriam-Webster.com. 2014.
  http//www.merriam-webster.com/dictionary/omnibus
  (9 September 2014)

3
HIPAA OMNIBUS RULE

• . . . the most sweeping changes
• to the HIPAA Privacy and Security Rules since
  they were first implemented.
• Leon Rodriguez, Director, HHS Office for Civil
  Rights

4
HIPAA OMNIBUS RULE

• These changes not only greatly enhance a
  patients privacy rights and protections, but
  also strengthen the ability of my office to
  vigorously enforce the HIPAA privacy and security
  protections, regardless of whether the
  information is being held by a health plan, a
  health care provider, or one of their business
  associates.
• Leon Rodriguez, Director, HHS Office for Civil
  Rights

5
WHATS NEW

• Decedents
• PHI no longer protected 50 years after date of
  death
• Access
• Covered Entities (CE) must provide access to
  e-PHI in the form requested if readily producible
  in such form
• Must be provided within 30 days (30 day extension
  allowed)
• Restrictions
• CE must restrict disclosures to health plans
  concerning treatment for which the individual
  paid in full

6
WHATS NEW

• Notice of Privacy Practices
• Past Compliance Deadline for Revisions
• Material Revisions
• Distribution of Revised Version
• HHS Model Notice of Privacy Practices
• Business Associates (BA)
• Expanded definition
• New requirements for Business Associate
  Agreements
• Direct liability
• Breach Notification Rule
• Presumption of breach
• New risk assessment standards

7
Notice of Privacy Practices

• The deadline for making required changes was
  September 23, 2013
• What if you did not meet this deadline?
• No back dating

8
Notice of Privacy Practices

• Whats new The NPP must include a statement that
  any uses and disclosures of a patients PHI for
  marketing purposes require an individuals
  written authorization.

Marketing Purposes The term marketing means
to make a communication about a product or
service that encourages recipients of the
communication to purchase or use the product or
service but generally excepts communications for
treatment and health care operations. Exception
face to face communication made by the covered
entity or promotional gift of nominal value
provided by the covered entity
If the marketing involves to the covered
entity by a third party, the authorization must
state that is involved.
9
Notice of Privacy Practices

• Whats new The NPP must include a statement that
  any uses and disclosures of a patients PHI that
  are considered the sale of PHI require an
  individuals written authorization.

Authorization must state that the disclosure will
result in to the CE!
10
Notice of Privacy Practices

• Whats new If the CE records or maintains
  psychotherapy notes, NPP must include a statement
  that uses and disclosures of psychotherapy notes
  require an individuals written authorization.
• Psychotherapy Notes notes recorded (in any
  medium) by a health care provider who is a mental
  health professional documenting or analyzing the
  contents of conversation during a private
  counseling session or a group, joint, or family
  counseling session and that are separated from
  the rest of the individuals medical record.
  Psychotherapy notes excludes medication
  prescription and monitoring, counseling session
  start and stop times, the modalities and
  frequencies of treatment furnished, results of
  clinical tests, and any summary of the following
  items diagnosis, functional status, the
  treatment plan, symptoms, prognosis, and progress
  to date.

11
Notice of Privacy Practices

• Whats new Other Uses and Disclosures - The NPP
  must also state that uses and disclosures of PHI
  not listed in the notice will be made only with
  an individuals written authorization.

Uses and disclosures of your PHI that are not
listed in this notice will be made only with your
written authorization
Remember - Notice of Privacy Practices is the
Roadmap!
12
Notice of Privacy Practices

• Refresher What is an Authorization?

• Make sure that you have a HIPAA-compliant
  authorization!
• It must meet specific requirements of the HIPAA
  Privacy Rule, such as
• Specific identification of the information to be
  used or disclosed
• Expiration date or expiration event
• Signature of the patient and date
• Certain required statements such as the
  individual having the right to revoke the
  authorization in writing.

13
Notice of Privacy Practices

• Whats new A covered entity that intends to
  contact an individual for fundraising purposes
  must disclose in its NPP that it may contact the
  individual to raise funds and that the individual
  has the right to opt out of receiving such
  communications.
• Fundraising A communication to an individual
  that is made by a covered entity, an
  institutionally related foundation, or a business
  associate on behalf of the covered entity for the
  purpose of raising funds for the covered entity
  is a fundraising communication
• Opt out the mechanism for opting out must go in
  the fundraising solicitation, not in the NPP.

14
Notice of Privacy Practices

• Whats new NPP must include right to restrict
  disclosures of PHI to a health plan when the
  individual (or someone on their behalf) pays out
  of pocket in full for the health care item or
  service.
• This is a new obligation of each CE where
  disclosure is to carry out payment or health care
  operations and the PHI pertains solely to a
  service for which payment has been made to the
  covered entity in full.
• Discuss with patient any inability to unbundle a
  bundled service
• Downstream providers- no obligation to notify (so
  far)

15
Notice of Privacy Practices

• Whats new NPP must include a statement
  informing individuals of their right to be
  notified following a breach of their unsecured
  PHI.
• You have the right to be notified following a
  breach of your unsecured PHI
• A simple statement no need to include the
  regulatory requirements of breach notification
  (discussed later in this session).

16
Notice of Privacy Practices

• Whats new For health plans only, the NPP must
  state that the health plan is prohibited from
  using or disclosing genetic information for
  underwriting purposes.

17
Notice of Privacy Practices

• Possible Additional Amendments (not required)
• Statement regarding individuals right to a copy
  of PHI maintained electronically by the CE
• Individuals ability to have immunization records
  sent directly by the CE to a school
• Applicable time frames for an individuals access
  to his or her PHI.

18
Notice of Privacy Practices Distribution of
Revised Version

• Incorporate new Revision Date (no back dating)
• CE must distribute the revised NPP as follows
• Make the revised NPP available upon request on or
  after the effective date of the revised notice
• Have the NPP available at the delivery site
• Post the revised notice in a clear and prominent
  location
• Provide to all new patients along with an
  acknowledgment of receipt
• Post to website, if you have one

19
HHS Model Notices of Privacy Practices

• http//www.hhs.gov/ocr/privacy/hipaa/modelnotices.
  html
• Recommendation
• Use HHS form but tailor it.

20
BUSINESS ASSOCIATES

• Who is a Business Associate?
• Refresher
• A person (or entity) who performs certain
  functions or activities for or on behalf of CE,
  or provides certain services to CE
• Billing, claims processing, data analysis
• Utilization review, QA, practice management
• Legal, accounting, financial services
• Must involve the use or disclosure of PHI
• Not a member of the CEs workforce

21
BUSINESS ASSOCIATES

• Who is a Business Associate?
• Whats new
• Any person who creates, receives, maintains or
  transmits PHI for certain functions or
  activities on CEs behalf
• New category of functions patient safety
  activities
• Clarification data storage companies who
  maintain PHI are BAs regardless of whether they
  view the PHI

22
BUSINESS ASSOCIATES

• Who is a Business Associate?
• Whats new
• New service providers
• Persons providing data transmission services
  (HIO e-prescribing gateway, etc.) and require
  routine access
• Persons offering personal health records on CE
  behalf
• Subcontractors of the BA

23
BUSINESS ASSOCIATES

• Business Associate Agreements
• Refresher
• CE must enter into a Business Associate Agreement
  (BAA)
• BAA must
• Establish permitted and required uses and
  disclosures of PHI
• Require BA to implement administrative, physical
  and technical safeguards
• Comply with certain other obligations to assist
  CE in meeting its HIPAA obligations
• Report use/disclosure not provided for in BAA
• Authorize termination of the contract for BAs
  material violation
•  

24
BUSINESS ASSOCIATES

• Business Associate Agreements
• Whats new
• The BAA must now require BA to
• Comply with the HIPAA Security Rule for e-PHI
• Report breaches of unsecured PHI
• Comply with applicable Privacy Rule requirements
  when carrying out a CEs obligation under the
  Privacy Rule
• Take steps to cure or end the violation (or
  terminate the relationship) if it knows of a
  Subcontractors pattern of activity or practice
  that constitutes a material breach of the
  Subcontractors obligations
• Whats new
• BA must have BAA with Subcontractors

25
BUSINESS ASSOCIATES

• Liability
• Refresher
• CE is liable for BA violations
• BA had no direct HIPAA liability (breach of
  contract only)
• Whats new
• BA (including Subcontractors) are now directly
  liable under HIPAA
• CE/BA can be held vicariously liable for agents
  violations
• Facts and circumstances
• Key indicator authority to control performance
  of the services
• Independent Contractor language not enough

26
BREACH NOTIFICATION

• Breach Notification Rule
• CEs and BAs must notify affected patients, DHHS,
  and, in some instances, the media of certain
  breaches of unsecured PHI
• i.e. not encrypted or destroyed
• Breach means an acquisition, access, use, or
  disclosure of PHI in a manner not permitted under
  the Privacy Rule which compromises the security
  or privacy of the PHI.

27
BREACH NOTIFICATION

• Whats new
• Presumption of Breach
• An improper use or disclosure is presumed to be a
  breach
• To refute the presumption that there was a
  breach, CE must
• conduct and document a comprehensive risk
  assessment and
• determine that there was a low probability that
  PHI has been compromised

28
BREACH NOTIFICATION

• Risk Assessment
• Nature and extent of PHI
• Sensitive information included?
• Unauthorized person who used or obtained the PHI
• Another CE?
• Whether the PHI was actually acquired or viewed
• Extent to which the risk to PHI has been
  mitigated
• Documents retrieved?

29
BREACH NOTIFICATION

• Notification to Individuals
• Without unreasonable delay, not more than 60 days
  after discovery
• When CE knew or would have known (reasonable
  diligence)
• When agent/workforce member knew (other than the
  person committing the breach)
• When CE receives notice from BA
• If BA is an agent, when BA discovered breach
• Content of Notice
• What, when, and when discovered
• Description of compromised PHI
• Steps individuals should take to mitigate effects
• Steps CE is taking
• CE contact information

30
BREACH NOTIFICATION

• Notification to Media
• gt 500 affected individuals
• Within 60 days of discovery
• Prominent media outlets (depends on the market)
• Press release on a CE website does not meet this
  requirement

31
BREACH NOTIFICATION

• Notification to Secretary
• Immediately
• gt 500 affected individuals (anywhere)
• immediate means at the time individual notices
  are sent
• Annually
• lt 500 affected individuals
• maintain log and report on HHS website within 60
  days of end of calendar year

32
Breach Notification Reports to Congress

• Breaches affecting fewer than 500 individuals
• 165,135 reports made to OCR in 2012
• Most common (in order of frequency)
• (1) unauthorized access or disclosure (21,639
  reports affecting 62,069 individuals)
• (2) unknown/other (2,033 reports affecting
  13,091 individuals)
• (3) theft (1,028 reports affecting 49,132
  individuals)
• (4) loss (789 reports affecting 20,176
  individuals)
• (5) improper disposal (155 reports affecting
  4,518 individuals) and
• (6) hacking/IT incident (61 reports affecting
  2,619 individuals).

33
Breach Notification Reports to Congress

• Secretarys Annual Report to Congress
• Submitted May 20, 2014 for calendar years 2011
  and 2012
• Breaches involving more than 500 individuals
• Healthcare providers 68 Business Associates
  25
• Theft 53 Unauthorized Access/Disclosure 18
• Largest Breach theft of unencrypted laptop from
  employees vehicle (gt116,000 individuals
  affected)
• Other Locations
• Medical offices and pharmacies
• Subway and other public transit
• Storage facilities

34
Breach Notification Reports to Congress

• Improper Disposal
• Largest breach (189,489 individuals affected)
• X-rays (lost) by Business Associate hired to
  digitize and destroy x-rays and accompanying
  paper jackets
• Others disposal in recycling or trash bins
• Hacking/IT Incidents
• Largest breach of 2012 overall (780,000
  individuals affected
• Unencrypted network server compromised by a
  cyber-attack
• Others
• viruses and malware
• unidentified, unauthorized persons accessing
  systems
• PHI rendered corrupt and inaccessible (CE
  received ransom note to restore access to the
  files)

35
(No Transcript)
36
OCR Audits of Breach Notification Rule

• Pilot Audit Program
• Detailed in Enforcement presentation
• The pilot audits looked at covered entities
  compliance with specific aspects of the Breach
  Notification Rule
• Notification to Individuals
• Timeliness of Notification
• Methods of Individual Notification
• Burden of Proof

37
(No Transcript)
38
QUESTIONS?