Changes to HIPAA - How New Privacy Rules will Affect Your Business
ALFA 2013: Conference and Expo Matthew J. Murer May 7, 2013
Polsinelli PC. In California, Polsinelli LLP
Faculty Matthew J. Murer Chair, National Healthcare Practice Polsinelli, PC (312) 873-3603 Mmurer@Polsinelli.com
2 real challenges. real answers. sm
Important Final Omnibus Rule Dates and Deadlines
Publication Date: January 25, 2013 (www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf)
Effective Date: March 26, 2013 Compliance Date: September 23, 2013
(unless
otherwise indicated)
Business Associate Agreement Compliance Date: September 22, 2014 (for “grandfathered” BAAs) 3 real challenges. real answers. sm
Overview of Key Modification Areas Business Associates Breach Notification Rule Individual Rights Right to Access Revisions to NPP Mandatory Right to Restriction
New Requirements for Uses/Disclosures
Marketing “Sale” of PHI Prohibition on use of Genetic Information for Underwriting Research
Enforcement 4 real challenges. real answers. sm
PRIVACY RULE
SECURITY RULE
HITECH ACT 2009
HIPAA 1996 TRANSACTIONS RULE
BREACH NOTIFICATION RULE 5 real challenges. real answers. sm
The Basic HIPAA Privacy Rule -
A Covered Entity or its Business Associate may not use or disclose Protected Health Information unless that type of use or disclosure is specifically permitted by HIPAA 6 real challenges. real answers. sm
is a Covered Entity? HealthWhat Care Providers – who transmit health information in electronic form in connection with one or more designated standard transactions Health Plans – individual or group health plans that provide or pay the cost of medical care Health Care Clearinghouses – entities that process electronic health information from non-standard to standard format, or viceversa 7 real challenges. real answers. sm
What does it mean to be a Business Associate? A Business Associate is a person or entity who provides services on behalf of a Covered Entity, if the services involve use or disclosure of Protected Health Information
*Covered Entities enter into Business Associate Agreements (BAAs) with Business Associates
Lawyers, Actuaries
Consultants
Covered Entity
Insurance Companies/ HMOs
Other Vendors 8 real challenges. real answers. sm
BUSINESS ASSOCIATE CHANGES, Part 1 Category of entities that will be considered Business Associates has been expanded to include: – Entities that transmit and need routine access to PHI (such as HIOs and E-Prescribing Gateways) – PHR/EHR vendors who serve Covered Entities – Subcontractors who create, receive, maintain, or transmit PHI for a Business Associate
9 real challenges. real answers. sm
BUSINESS ASSOCIATE CHANGES, Part 1 Category of entities that are not included in new Business Associate definition are: – Health care provider who receives PHI from another provider for treatment – Plan sponsors, with respect to disclosures by Group Health Plans – Government agencies (determining eligibility) – OHCA participants – “Conduits” – transmission services w/ temporary storage of PHI • Maintaining PHI (even without viewing) = BA • Impact on Cloud Vendors 10
real challenges. real answers. sm
BUSINESS ASSOCIATE CHANGES, Part 2 Business Associates are now directly liable, and subject to OCR enforcement, for: – Impermissible uses and disclosures of PHI and ePHI – Failure to comply with the Security Rule • Business Associates must have in place the same security measures as are now required of Covered Entities
– Failure to provide notification of breach to a Covered Entity
11 real challenges. real answers. sm
BUSINESS ASSOCIATE CHANGES, Part 2 Business Associates are now directly liable, and subject to OCR enforcement, for: – Failure to provide access to PHI/ePHI to an individual as necessary to satisfy CE’s obligations (i.e., if requested by CE) – Failure to provide an accounting of disclosures (similar to current requirement) – Failure to enter into BAAs with downstream subcontractors – Failure to cooperate with HHS in any compliance investigation 12 real challenges. real answers. sm
Business Associate Changes, Issues of Agency Potential Liability of CE or BA for “agents” – CE liable for BA violations if BA is agent under federal common law and the act is within the scope of agency – BAs will be liable for subcontractor’s violations under same circumstances
13 real challenges. real answers. sm
Business Associate Changes, Issues of Agency Federal Common Law of Agency – Is there an agency relationship • Contract language AND facts/circumstances – Which party controls or has the ability to control – OCR says if CE can only control through amendment of the BAA or by suing for breach, then BA not an agent
14 real challenges. real answers. sm
Business Associate Changes, Issues of Agency Federal Common Law of Agency – If there is an agency relationship, was the conduct within the scope of the agency • Time, place, purpose of conduct and whether the CE would reasonably expect the conduct • Ability of CE to control the conduct • Whether the conduct was the type that would be expected to perform the service
15 real challenges. real answers. sm
BUSINESS ASSOCIATE CHANGES, Part 3 COVERED ENTITY ACTION STEPS: 1. 2.
3.
Identify your Business Associates (BAs) and evaluate agency issues Review and/or revise Business Associate Agreements (BAAs) – consider indemnification, insurance, etc. - Existing BAAs (entered into prior to January 25, 2013) are “grandfathered” in until September 22, 2014 (unless modified before then) Execute BAA with New BAs
BUSINESS ASSOCIATE ACTION STEPS: 1. 2. 3.
Determine if you are a BA; if so, review or execute BAAs with CEs and subcontractors and evaluate agency issues Comply with HIPAA Security Rule (need Security Officer) Implement HIPAA Privacy Policies and Procedures 16 real challenges. real answers. sm
BREACH NOTIFICATION RULE “Breach” means the acquisition, access, use or disclosure of Unsecured PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of such information. Three exceptions: (1) Unintentional acquisition, access or use of PHI by a workforce member in the scope of duties – no further access or disclosure (2) Inadvertent disclosure from one authorized person to another within a CE/BA – no further access or disclosure (3) Disclosure of PHI where CE/BA has good faith belief that the recipient cannot retain the information New Rule did not change these provisions
17 real challenges. real answers. sm
BREACH NOTIFICATION RULE, cont’d OLD STANDARD: – the breach “poses a significant risk of financial, reputational, or other harm to the individual” (the risk of harm standard)
NEW STANDARD: – any unauthorized use or disclosure of PHI/ePHI that does not meet one of the exceptions is presumed to be a “breach” UNLESS the CE/BA can demonstrate (through a written risk assessment) that there is a “low probability that the PHI has been compromised” Note: The term “compromise” is no longer defined. 18 real challenges. real answers. sm
BREACH NOTIFICATION RULE, cont’d Risk Assessment – Factors that must be considered: – Nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification – The unauthorized person who used the PHI or to whom the disclosure was made – Whether the PHI was actually acquired or viewed – The extent to which the risk to the PHI has been mitigated 19 real challenges. real answers. sm
BREACH NOTIFICATION RULE, cont’d CE/BA can decide to notify WITHOUT conducting a risk assessment No longer an exception for limited data sets Encryption and destruction are the only 2 methods to “secure” PHI – which is exempt from notification requirements. See www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotification/brguidance.html
Notice to HHS (less than 500 records) has to occur within 60 days of the end of the year in which breach was “discovered,” not in which it “occurred” Compliance required by September 23, 2013 – in the interim, HHS states to comply with old standard Note: Must also consider applicability of state breach notification laws
20 real challenges. real answers. sm
BREACH NOTIFICATION RULE, cont’d ACTION STEPS: – Evaluate if encryption is feasible – Review/revise BAAs (which entity is going to provide notice to individuals and bear costs) – Review/revise Notice of Privacy Practices (must state individuals will be notified if there is a breach of their unsecured PHI) – Revise policies and procedures to address new standard – Train workforce members on the new standard and the importance of prompt reporting potential impermissible uses and disclosures 21 real challenges. real answers. sm
INDIVIDUAL RIGHTS Individuals have a right to receive an electronic copy of their ePHI – Must provide ePHI in form or format requested if readily producible; otherwise in a readable electronic form or format agreed to by parties – Individuals can direct the copy to go to third person • Request must be in writing and signed
HHS Clarifications: – – – – – – –
Providers not required to give direct access to their systems ePHI linked data must also be provided Can provide hard copy and ePHI, if record is mixed Don’t have to use an individual’s flash drive, etc. Unencrypted email acceptable if individual waives risk of interception 30 days to provide records; 30 day extension upon notice Charging for labor costs is acceptable, but consider state law; can also charge for cost of electronic media, e.g., CD, USB 22 drive real challenges. real answers. sm
Individual Rights, Cont’d. New Content in Notice of Privacy Practices – Statements that sale of PHI, marketing communications and use/disclosure of psychotherapy notes require authorization – Statement that individual can opt-out of fundraising communications – Statement about individual’s right to receive breach notifications – Statement about mandatory restrictions
23 real challenges. real answers. sm
Individual Rights, Cont’d. New Content in NPP Specific to Health Plans – Statement that genetic information may not be used for underwriting purposes • Applies to health plans that engage in underwriting (excludes issuer of a long-term care policy)
24 real challenges. real answers. sm
Individual Rights, Cont’d. Distribution of Revised NPPs – Must be distributed if “materially” revised – Health Plans may distribute by: • Posting on website by the effective date of the change (i.e., September 23, 2013) and then including the new NPP in the next annual mailing OR • Mailing the new NPP within 60 days of the change (i.e., within 60 days after September 23, 2013) 25 real challenges. real answers. sm
Individual Rights, cont’d Individuals can restrict disclosures to health plans if PHI pertains to item or service for which individual paid out-ofpocket in full – Need to be able to flag or segregate portions of medical record – Doesn’t apply if payment is dishonored (e.g., check bounces) – Individual must notify downstream providers 26 real challenges. real answers. sm
MARKETING Marketing is a communication about a product or service that encourages purchase or use, EXCEPT does not include: – Refill reminders or other communication about a product currently prescribed, but only IF payment received for making communication is reasonably related to cost – Communications about treatment, case management, care coordination or a health-related product or service provided by the CE, but only IF CE does not receive direct or indirect payment for the communication from or on behalf of a third party whose product or service is being described
If a communication is “marketing,” it requires an authorization unless: – It is face-to-face (even if CE receives payment to do so) – Promotional gifts with small value
If marketing involves payment, authorization must state that payment is involved
27 real challenges. real answers. sm
MARKETING Health Plan Action Item – Evaluate all subsidized communications • E.g., adherence programs, disease management programs may be funded by manufacturers
28 real challenges. real answers. sm
FUNDRAISING Individuals must be provided with a clear and conspicuous opportunity to opt-out of receiving fundraising communications (must include optout in Notice of Privacy Practices) Applies equally to fundraising communications made in writing and over the telephone Method for opt-out option in discretion of CE; however, it may not cause the individual to incur undue burden or more than nominal cost Applies only if an individual’s PHI is used to make the communication – not merely if a communication is made 29 real challenges. real answers. sm
“SALE” OF PHI General Rule: – Must obtain authorization if CE receives direct or indirect remuneration (including nonfinancial) in exchange for the disclosure of PHI – Authorization must state that CE is receiving direct or remuneration in exchange for the PHI
Includes remuneration for access, license, or lease agreements related to PHI Covers remuneration for the PHI (or access to the PHI), not for services involving access to the PHI (e.g., HIE) Exceptions – public health activities, treatment and payment, sale of CE, research capped at cost to prepare and transmit PHI, remuneration to BA for services, disclosures required by law, providing access or accounting to an individual, and permitted disclosures where CE only receives reasonable cost-based fee to prepare and transmit
30 real challenges. real answers. sm
GINA Genetic Information is PHI Use or disclosure of genetic information for underwriting purposes is prohibited (except long-term care plans) Definitions are broad
31 real challenges. real answers. sm
GINA - Definitions Genetic Information – Information about genetic tests of an individual or family member (including fetus or embryo of either) – Manifestation of a disease or disorder in family members of the individual – Any request for, or receipt of, genetic services (genetic test, counseling or education) or participation in clinical research which includes genetic services 32 real challenges. real answers. sm
Genetic Information, cont’d. “Genetic information” does not include information about the individual’s sex or age “Genetic test” does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder or pathological condition
33 real challenges. real answers. sm
GINA - Definitions  Underwriting – Rules for, or determination of, eligibility (including enrollment and continued eligibility) for benefits under the health plan, coverage or policy (including changes in deductibles or other cost sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program) 34 real challenges. real answers. sm
Underwriting – definition, cont’d.  Computation of premium or contribution amounts under the plan, coverage or policy (including discounts, rebates, payments in-kind or other premium differential mechanisms in return for activities such as completing an HRA or participating in a wellness program)
35 real challenges. real answers. sm
Underwriting – definition cont’d. The application of any pre-existing condition exclusion Other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits
36 real challenges. real answers. sm
Underwriting - Exclusion  Underwriting does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage or policy
37 real challenges. real answers. sm
RESEARCH Authorizations for future research permitted – Must still meet all of the core elements required to be in the authorization, including an expiration date or event (e.g., “end of research study” or “none”) – Must adequately describe the purpose so the individual understands that his or her PHI could be used or disclosed for future research activities
Compound authorizations permitted in certain cases – Conditioned research versus unconditioned research – opt in required
Note for health plan research involving genetic information, see GINA 38 real challenges. real answers. sm
Enforcement Prior to HITECH Most violations resolved through voluntary compliance or settlement agreements – Not CMPs
No private right of action = no monetary recovery for individuals whatsoever HIPAA was not a high compliance priority – Few government audits – Lack of penalties or negative consequences 39 real challenges. real answers. sm
Enforcement After HITECH Heightened enforcement scheme – Increased penalties for Covered Entities (CE) and Business Associates (BA) – State Attorneys General given new authority to bring civil suit on behalf of state residents
I.S. v. Washington University* – Unlawful disclosure of PHI can be basis of per se state law negligence claim *I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585 (E.D. Mo. June 14, 2011).
40 real challenges. real answers. sm
Attorney General Actions New enforcement authority to bring suit – Obtain damages on behalf of state residents – Enjoin further violations
Cannot bring suit while HHS action for CMPs is pending OCR’s HIPAA Enforcement Training – Aids Attorneys General in investigating and seeking damages – See: www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/index.html
41 real challenges. real answers. sm
Recent Enforcement Actions by OCR Management Services Organization Washington, Inc. (MSO), December 2010 – Enforcement action in connection with FCA investigation – Incident involved disclosure of ePHI to Washington Practice Management, LLC to market Medicare Advantage plans – MSO failed to secure valid authorizations and did not implement appropriate safeguards – MSO agreed to pay $35,000 and employ corrective action plan 42 real challenges. real answers. sm
Recent Enforcement Actions by OCR Cignet Health, February 2011 – First CMP imposed for Privacy Rule violation Total CMP of 4.3 million – Incident involved denying 41 patients access to their requested medical records $1.4 million CMP
– OCR found Cignet’s failure to cooperate with the investigation was due to willful neglect $3 million CMP for failure to cooperate 43 real challenges. real answers. sm
Recent Enforcement Actions by OCR Blue Cross Blue Shield of Tennessee (BCBST), March 2012 – First enforcement action resulting from HITECH’s breach reporting requirements – Incident involved 57 stolen, unencrypted computer hard drives containing PHI of over 1 million people – Allegation that BCBST failed to perform security evaluation and implement physical safeguards – BCBST agreed to: • Pay HHS $1.5 million for potential Privacy and Security Rule violations • Implement corrective action for compliance program 44 real challenges. real answers. sm
Office for Civil Rights Complaint Process* * Department of Health, Human Services, Office for Civil Rights
45 real challenges. real answers. sm
The Right to File a Complaint Any person can file a complaint with OCR for violations of HIPAA Complaints must: • • • •
Be in writing (paper or electronic) Name the covered entity or business associate Describe the violating acts or omissions Be filed within 180 days of when the complainant knew or should have known of the act or omission – Time limit can be waived for good cause 46 real challenges. real answers. sm
Complaint Investigation and Compliance Review Investigations – Required when facts indicate willful neglect – May include: • Review of policies, procedures, or practices • Review of circumstances surrounding complaint – Initial written communication by Secretary regarding investigation will describe basis of complaint 47 real challenges. real answers. sm
Complaint Investigation and Compliance Review Compliance review – Required when preliminary review of facts indicates willful neglect – Final Rule preamble notes that compliance reviews are generally conducted when HHS learns of alleged violation through means other than a complaint, e.g., media report, or through a report from another state or federal agency
Investigations or review may involve subpoenas for witnesses or production of evidence 48 real challenges. real answers. sm
What OCR Considers During Complaint Intake and Review OCR can only take action on certain complaints: Alleged violation occurred after required compliance date Complaint filed against a CE or BA Complaint alleges activity that would violate Privacy or Security Rule if proven true Complaint filed within 180 day time frame
• May refer complaint to DOJ for criminal investigation 49 real challenges. real answers. sm
What OCR Considers During Complaint Intake and Review  The Process: 1. OCR notifies parties of accepted complaint 2. CE or BA must present information about incident 3. Review of information and evidence 4. Notification of parties if no further action warranted 5. If noncompliant, OCR will resolve case by obtaining voluntary compliance, corrective action, resolution agreement – There is discretion to forgo informal resolution measures and go directly to CMP imposition 50 real challenges. real answers. sm
ENFORCEMENT (Tiered Civil Penalties) EACH VIOLATION
PER YEAR
Did not know
$100-$50,000
$1.5M
Reasonable cause
$1000-$50,000
$1.5M
VIOLATION CATEGORY
Willful neglect, corrected in $10,000-$50,000 30 days
$1.5M
Willful neglect, not corrected
$1.5M
$50,000 51
real challenges. real answers. sm
ENFORCEMENT (Penalty Assessment Factors) HHS is not bound to impose the maximum penalty, but will consider: – – – – –
Nature and extent of the violation Resulting harm (number of people, reputational harm) Entity’s history of compliance or violations Financial condition of the entity Any other factors justice may require
REMEMBER: intentional acts may be subject to separate criminal prosecution 52 real challenges. real answers. sm
ACTION STEPS CE: Revise Notice of Privacy Practices CE/BA: Implement/revise HIPAA Policies and Procedures CE/BA: Identify Business Associates CE/BA: Revise and enter into new/amended Business Associate Agreements (2 different deadlines) CE/BA: Review any “remuneration” relationships involving PHI/ePHI CE/BA: Train Workforce 53 real challenges. real answers. sm