HIPAA/HITECH and the Omnibus Final Rule: The Seven Most Important Things You Need to Know Now to Comply Where value is law. Jane Bello Burke [email protected] Amy L. Goerss [email protected] www.hodgsonruss.com © 2012 Hodgson Russ LLP The Key Changes  HITECH Act-mandated changes now codified in final rules  Most HIPAA provisions directly apply to Business Associates (BAs) of Covered Entities (CEs)  Business Associate re-defined  Breach Notification – method for conducting a breach analysis revised  Consumer-oriented rights impact CEs:  Right to electronic copy of medical record  Sale, marketing, and fundraising restrictions  Right to restrict disclosures 2 Important Dates  Rules were “effective” March 26, 2013  Except as otherwise provided, compliance with most standards is September 23, 2013  Notable exception: Business Associate Agreements (in some instances, have until September 22, 2014 to conform existing agreements) 3 Business Associate Defined  HIPAA rules define “business associate” generally to mean a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information 4 Business Associate Defined  Business associate: other than a member of a covered entity’s workforce, a person who:  (i) On behalf of a covered entity creates, receives, maintains, or transmits protected health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or  (ii) Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, where the provision of the service involves the disclosure of protected health information from the covered entity or from another business associate of the covered entity to the person. 5 Business Associate Defined  A covered entity may be a business associate of another covered entity.  Business associate includes:  A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.  A person that offers a personal health record to one or more individuals on behalf of a covered entity.  A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.  Business associate does not include:  A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.  A covered entity participating in an organized health care arrangement 6 Business Associate Definition Changes  Includes organizations that provide data transmissions of PHI involving access to the PHI on a routine basis  example: a vendor that contracts with a CE to provide a personal health record  exception: “mere conduits” such as USPS or UPS, internet service providers 7 Business Associate Definition Changes  Subcontractors are included as business associates  Those persons who provide services to a business associate, other than in the capacity of a workforce member  HIPAA will apply to BAs even if you fail to enter into a contract!  If a Business Associate Agreement should be in place, failure to have one will mean the CE (or BA) is not in compliance with HIPAA  A person may be liable under HIPAA regulations as a BA without even knowing it is a BA 8 Breach Notification  Big changes from the interim final rule  Presumption of breach unless low probability of “compromise”  “Harm threshold” was eliminated 9 Breach Notification  Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the protected health information. 10 Breach Notification  Interim final rule:  “Compromises the security and privacy of protected health information” was further defined as “a significant risk of financial, reputational, or other harm to the individual.”  New omnibus rule:  Any impermissible acquisition, access, use or disclosure is presumed to be a breach unless the CE/BA can demonstrate there is a “low probability that the information has been compromised” based on 4 enumerated factors. 11 Breach Notification  Examples of breaches: - PHI sent to the wrong recipient - employee snooping - lost paper records - lost/stolen laptop or portable device - computer virus/hacking 12 Breach Notification  Implications?  Follow the interim final rule standard until September 23, 2013  Strongly consider also evaluating under the new standard  Experts have suggested if the results are different, with “no breach” determined under the old standard … think again. 13 Patient Protections  Patients have additional protections over their PHI in the areas of:     Marketing Sale of PHI Fundraising, and Right to request certain restrictions on disclosure 14 Marketing  Under the old rules, certain treatment and health care operations communications were not considered marketing  Now, even most treatment-related communications will be considered marketing if the communications are paid for by a third party  If such a communication is desired, a covered entity must obtain patient authorization  Examples of exceptions: where no financial remuneration is received, to recommend alternate treatments or treatment settings; for case management and care coordination. 15 Sale of PHI  Similar to the concept of marketing, PHI cannot be sold without patient authorization  The concept of “sale” was not addressed in the old regulations 16 Fundraising  Covered entities may now use additional individual-related information to raise funds for its own purposes  Examples: in a hospital setting, a covered entity could use the department in which a person was treated, the treating physicians, outcome information, and health insurance status to target fundraising  Must include the desired fundraising activity in the Notice of Privacy Practices 17 The Individual's Right to Request Restrictions  The Omnibus Rule requires Covered Entities to agree to restrict disclosures of an individual’s PHI:  to a health plan;  with respect to any PHI pertaining to items or services for which the individual has paid in full.  Industry Concerns  Limitations 18 Expanded Patient Access  Patients have a right to receive certain medical records in electronic format if they so choose  Patients may request records be sent directly to a third party 19 Individual Access to Electronic Records  Rationale:  Patient Involvement Improves Outcomes  Patient Access Facilitates Information Sharing with Web-Based Personal Health Records  If the Covered Entity maintains the records in electronic format, the Covered Entity must provide the individual with electronic access:  in a form and format requested by the individual, if the information is readily producible in that format or, it not,  in readable electronic form and format as the Covered Entity and the individual mutually agree 20 What Can the Covered Entity Charge for Electronic Records?  Under the Privacy Rule, Covered Entities may impose reasonable, cost-based fees for copying and postage.  Costs are limited to labor for copying the requested information, supplies for creating the copy, postage (if applicable) and preparing a summary in lieu of the PHI, if the individual agrees.  The Omnibus Rule considers the cost of supplies for creating the electronic copy (e.g., PDF) to be included as part of the reasonable, cost-based fee.  The fee must be both reasonable  State law restrictions apply 21 The Right to Request Transmission To a Third Party  If an individual requests that the Covered Entity sent PHI directly to a third party, the Covered Entity must send the information to the third party.  Individual must sign a written request that clearly identifies the third party.  Consider creating form of written request 22 Revised Notice of Privacy Practices Required Content  Required Content: In addition to existing Privacy Rule requirements, NPP must inform individuals that:  most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require authorization;  other uses and disclosures not described in the NPP will be made only with authorization from the individual;  if CE intends to contact an individual to raise funds, that individuals may receive fundraising communications and have right to opt out of receiving such communications  Final Rule does not require NPP to include mechanism for opting out of fundraising communications, but CEs may include such information if they choose to do so. 23 Revised Notice of Privacy Practices Required Content (cont’d)  Individuals have right to restrict disclosures of PHI to health plan where individual (or other person) pays out of pocket in full for health care item or service  only health care providers are required to include such a statement in the NPP  other CEs may retain existing language that CE is not required to agree to a requested restriction  Right to notification after breach of unsecured PHI  statement that individual has a right to or will receive notifications of breaches is sufficient  statement need not be entity-specific, but CE may opt to include more detailed information 24 Revised NPP: Distribution  Under HIPAA, when health care provider with a direct treatment relationship with an individual revises the NPP, the health care provider must:  make NPP available upon request on or after effective date of the revision  have the NPP available at the delivery site  ok to post NPP in prominent location at delivery site  if full notice is immediately available (e.g., on table under posted summary) for individuals to pick up without additional burden on their part  not ok to require individual to ask for copy  NB: Providers must give copy of NPP to, and obtain acknowledgment of receipt from, new patients only 25 Revised NPP: Plain Language  Obligation to take steps to communicate effectively with individuals with disabilities  E.g., making revised NPP or notice of material changes to the NPP available in alternate formats, such as Braille, large print, or audio  To avoid overly complex NPPs, CEs may use a ‘‘layered notice’’ to implement the Rule’s provisions, for example providing the individual with both:  a short notice that briefly summarizes the individual’s rights, as well as other information, and  a longer notice, layered beneath the short notice that contains all the elements required by the Rule 26 HITECH Enforcement: Key Terms  “Willful Neglect” -- conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated  HITECH incorporates HIPAA concept  Secretary must investigate complaint or conduct compliance review where “preliminary investigation of the facts … indicates a possible violation due to willful neglect”  Secretary retains discretion where a preliminary review of the facts indicates a degree of culpability less than willful neglect. 27 HITECH Enforcement: Key Terms  “Reasonable Cause” -- an act or omission in which a CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the CE or BA did not act with willful neglect  See United States v. Boyle, 469 U.S. 241, 245 (1985) (defining “reasonable cause” in context of U.S. tax laws)  “Reasonable Diligence” -- the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances 28 HITECH Enforcement: Penalty Structure  HIPAA:  CMP of not more than $100 for each violation, with total amount imposed on a CE for all violations of an identical requirement or prohibition during a calendar year not to exceed $25,000  HITECH:  Establishes, for violations on or after 2/18/2009, tiers of increasing penalty amounts for violations based on increasing levels of culpability associated with each tier  For violations prior to 2/18/2009, retains pre-HITECH maximum penalty amounts of not more than $100 per violation and $25,000 for identical violations during CY 29 HITECH Penalties (violations after 2/18/2009) Section 1176(a)(1) Violation Category Each Violation A B Did Not Know Reasonable Cause C(i) Willful NeglectCorrected Willful NeglectNot Corrected C(ii) 30 $100–$50,000 $1,000– $50,000 $10,000– $50,000 $50,000 All violations of identical provision in a calendar year $1,500,000 $1,500,000 $1,500,000 $1,500,000 Counting Violations  Multiple Individuals Affected  Number of identical violations = number of individuals affected  Example: breach of unsecured PHI  Continuing Violations  Number of identical violations = number of days the entity did not have appropriate safeguards in place to protect the PHI  Example: lack of appropriate safeguards for a period of time If Impermissible Use or Disclosure + Lack of Safeguards, HHS may calculate separate civil money penalty for each 31 Factors in Determining Penalty Amount  Nature and Extent of the Violation, including  Number of Individuals Affected  Time Period during which Violation Occurred  Nature and Extent of Harm, including  Whether Violation Caused Physical Harm;  Whether Violation Resulted in Financial Harm  Whether Violation Resulted in Harm to Individual's Reputation, and  Whether Violation Hindered Individual’s Ability to Obtain Health Care;  History of Prior Compliance  Financial Condition of CE or BA 32 Next Steps:  Review and update all HIPAA policies and procedures and train staff on the changes … but this is huge and may be intimidating, so … 33 The Seven Most Important Things to Do Next:  Conduct a Risk Assessment of Most Significant Changes  Understand situations triggering Breach Notification  Update P&P, train staff  Understand circumstances creating Business Associate relationships  Identify your BAs  Update BAAs as necessary, execute new BAAs if none  Identify situations where uses and disclosures require authorization, including  Marketing issues  Sale of PHI and update P&P accordingly 34 The Seven Most Important Things to Do Next (cont’d):  Understand individual’s right  to access records in electronic format,  to request restrictions on disclosure of certain records  to request transmission of PHI to a third party and update P&P accordingly  Revise Notice of Privacy Practices regarding:  Psychotherapy notes  Marketing rules  Sale of PHI  Other uses and disclosures  Fundraising communications  Right to restrict certain disclosures to a health plan  Right to breach notification 35 The Seven Most Important Things to Do Next (cont’d):  Educate employees  marketing rules  fundraising requirements  prohibition against selling information  right to access records in electronic format,  right to request restrictions on certain disclosures  right to request transmission to a third party  breach notification requirements  new penalty structure 36 Questions? Amy Goerss 716-848-1451 [email protected] Jane Bello Burke 518-433-2404 [email protected] 37