430 likes | 585 Views
HIPAA Omnibus Final Rule: Understanding the Risks and Developing Compliance Strategy. June 23, 2014 Presented by Jennifer Breuer, David Mayer and Sara Shanti. Sponsored by:. Program Outline. Background – HIPAA Omnibus Final Rule Business Associates
E N D
HIPAA Omnibus Final Rule:Understanding the Risks and Developing Compliance Strategy June 23, 2014 Presented by Jennifer Breuer, David Mayer and Sara Shanti Sponsored by:
Program Outline • Background – HIPAA Omnibus Final Rule • Business Associates • New responsibilities for business associates • Changes to Business Associate Agreements that must be in place as of September 23, 2014 • Recommended compliance strategies • Security Risk Analyses • Enforcement • OCR Audits
Background – HIPAA Omnibus Final Rule • Announced on January 17, 2013 • Published in Federal Register on January 25, 2013 • http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf • Effective on March 26, 2013 • Initial Compliance Date: September 23, 2013 • HHS began enforcing Final Rule on the Initial Compliance Date • Final Compliance Date: September 23, 2014 • If existing BAAs were not renewed or modified between March 26 and September 23, 2013, they will remain compliant until the earlier of: • The date the BAA is renewed or modified after September 23, 2013; or • September 22, 2014
Business Associates (BAs) • The HIPAA Omnibus Final Rule made the following key changes to Business Associates: • Expands definition of BAs • Expands compliance obligations applicable to BAs • Explains scope of direct liability for violations applicable to BAs • Identifies required changes to BA agreements
Business Associates: Definition (cont’d) • BAs are still BAs: • A person or entity who creates, receives, maintains, or transmits PHI on behalf of a Covered Entity • Change reflected in the addition of “maintains” • Definition of BA now specifically includes: • Health Information Organization, E-Prescribing Gateway, or other person who provides data transmission services with respect to PHI to a Covered Entity and who requires access to such PHI on a routine basis • A person who offers a personal health record to one or more individuals on behalf of a Covered Entity • This does not include PHR vendors that offer PHR directly to an individual and not on behalf of a Covered Entity
Business Associates: Definition (cont’d) • Subcontractors are now BAs: • Definition of “business associate” now includes a “subcontractor that creates, receives, maintains, or transmits [PHI] on behalf of the business associate” • “Subcontractor” is a person to whom a BA delegates function, activity or service, other than in the capacity of a member of the workforce of such BA • BA does not need to provide Subcontractor with PHI directly • A Covered Entity can provide PHI directly to a BA’s subcontractor without the subcontractor being the Covered Entity’s direct BA • Note: a BA’s disclosure of PHI for its own management, administration and legal responsibilities may not create a subcontractor relationship with the recipient
Responsibilities of Business Associates • BAs are governed by: • HIPAA • Most Security Rule standards and implementation specifications extend directly to BA • All relevant Privacy Rule provisions extend directly to BA • Legal obligations and enforcement risks • Contracts • Terms of the BAA continue to govern BAs • Terms of Master Services Agreements, Confidentiality Agreements, etc. • Vicarious liability • Common law • BAs may be “agents” of Covered Entity
Responsibilities of Business Associates (cont’d) • BAs are now directly liable for: • Security Rule compliance • Complying with administrative, physical, and technical safeguards and documentation requirements • BAs must conduct a risk analysis of potential security risks and vulnerabilities • Uses and disclosures of PHI only as permitted: • Under BAA – BA must comply with terms of BAA • Under HIPAA – BA cannot use PHI in a manner that would be impermissible by a Covered Entity
Responsibilities of Business Associates (cont’d) • BAs also directly liable for: • Failing to notify Covered Entities of breaches of unsecured PHI • Failing to disclose PHI when required by HHS to determine compliance • Failing to disclose PHI to Covered Entity or individual to satisfy an individual’s request for electronic copy of PHI • Failing to make reasonable efforts to limit use and disclosure of PHI to minimum necessary • Failure to enter into BAAs with subcontractors
Responsibilities of Business Associates (cont’d) • A BA that becomes aware of noncompliance by a subcontractor must: • Take reasonable steps to cure the breach or end the violation • If steps are unsuccessful, terminate the relationship • Otherwise, the BA may face liability for its own noncompliance with BA requirements
Business Associate Agreements • BAAs must require BAs to: • Use appropriate safeguards for electronic PHI • Report to Covered Entity use or disclosure of PHI not provided in the BAA, including: • Breaches of unsecured PHI • Any security incident • Ensure that “subcontractors” agree to the same restrictions and conditions as the BA with regard to PHI • If a BA carries out a Covered Entity’s obligation under HIPAA, comply with those HIPAA requirements that would apply to Covered Entity in the performance of such obligation
Business Associate Agreements (cont’d) • Other key changes to BAAs (since last modified in June 2006): • BA must comply with the Security Rule • Risk Analysis • Safeguards • Reporting • BA must maintain and make available information required to make an accounting of disclosures • Sample BAA • HHS released a form of BAA on January 25, 2013 • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Business Associates and Subcontractors • Must have BAAs in place, even though BAs are directly liable under many provisions of HIPAA • BAs must enter into BAAs with their subcontractors • BA may disclose PHI to a subcontractor only with a BAA • No BAA is required between Covered Entity and the BA’s subcontractor • Each BAA in the chain must be at least as stringent than the one above it regarding the uses and disclosures of PHI • Extension of rules not limited to “first tier” contractors, but to all downstream contractors • BA, as opposed to Covered Entity, is responsible for responding to any noncompliant subcontractors
Other BAA Terms and Trends • Industry trends in BAAs • BA Indemnification • Specifically, related to breaches that require costly notification • Permit Aggregation • Permit De-identification • Acknowledgements of BA obligations under HIPAA • Liability could attach under agency theory
Compliance Strategies • Do not aim to “overachieve” • HHS looks to the BAA and internal policies for compliance • Where internal policies are more restrictive than HIPAA standards, HHS may determine noncompliance on the basis of policies rather thanlegal requirements
Compliance Strategies • More covered entities are using BAAs to transfer obligations • Some highlight BA HIPAA obligations • Some insert additional compliance requirements • Some use BAAs to limit the covered entity’s own inability • Indemnification clauses • Reference to MSA clauses • Insurance requirements
Security Risk Analyses • HIPAA requires BAs to conduct the same security risk analysis that a Covered Entity must undertake • Covered Entities must: • Conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic protected health information held by the organization
Security Risk Analyses • OCR believes Risk Analyses are best practices in the health care industry • Covered Entities have been subject to this Security Rule requirement since April 2003 • Enforced by OCR since July 2009 • In the case of a breach or other investigation, OCR will request a copy of a CERisk Analysis: • Risk Analysis should be current • Should be reviewed/revised every 2 or 3 years • Risk Analysis should reflect changes in operations • E.g., implementation of new systems • Risk Analysis should address mobile devices
Security Risk Analyses • Risk Analysis should be scalable and flexible • Does not have to be a single document • Risk Analysis can be a useful business tool for determining the IT strengths and weaknesses of an organization • More and more CEs and other contractors are wanting to review their vendors’ security risk analyses • Risk Analysis requires an organization to consider what administrative, physical and technical safeguards it has in place to protect PHI
Elements of a Risk Analysis • Identify ePHI within the organization • All systems, programs and applications used to create, maintain, receive and transmit ePHI • Identify all external sources of ePHI • Third-party vendors, consultants and subcontractors • Review human and environmental threats • Current Security Measures • Likelihood of Threat • Impact of Threat • Document all of the above
Elements of a Risk Analysis • Vulnerability • A system weakness that could result in a breach • Threat • The potential for a person or thing to exercise a vulnerability • Risk • The impact considering the probability of a given vulnerability and threat • The Risk Analysis should identify each Vulnerability, Threat and Risk as High, Medium or Low
Recent Enforcement Actions • Columbia University/New York Presbyterian Hospital (2014) • Impermissible disclosure of ePHI of 6,800 patients to Google/other search engines • DisclosedPHI included patient status, vital signs, medications and lab results • Computer server with access to ePHI was not properly configured • Failure to conduct accurate and thorough risk analysis • HHS investigation found: • Failure to implement processes for assessing and monitoring all IT systems that accessed PHI • Failure to implement policies and procedures for authorizing access to databases containing PHI • Failure to follow policies on information access management • $4.8 MM resolution payment to HHS; largest settlement to date
Recent Enforcement Actions (cont’d) • Concentra Health Services (2014) • Unencrypted laptop stolen from PT department • HHS investigation found: • Failure to adequately remediate and manage its identified lack of encryption • Risk analysis did not address why encryption was not reasonable and appropriate and what other measures would be taken to secure PHI • Failure to implement policies and procedures to prevent, detect, contain and correct security violations • $1.7 MM resolution payment to HHS
Recent Enforcement Activities (cont’d) • Shasta Regional Medical Center (2013) • SRMC responded to media allegations of Medicare fraud by providing information about medical services provided to patient without authorization • Disclosures made to California Watch, The Record Searchlight and The Los Angeles Times • SRMC also revealed the patient’s PHI to its entire workforce and medical staff without authorization • HHS investigation found: • Failure to safeguard PHI • Impermissible use of PHI • Failure to sanction appropriate workforce members pursuant to internal sanctions policy • $275,000 resolution payment to HHS
Recent Enforcement Activities (cont’d) • Phoenix Cardiac Surgery, P.C. (2013) • Practice published patient scheduling information to publicly accessible, Internet-based calendar and transmitted ePHI from Practice’s e-mail account to workforce members’ personal e-mail account • HHS investigation found: • Failure to provide and document training of workforce members on use and disclosure of PHI • Failure to implement administrative and technical safeguards to protect ePHI • No Security Official identified • Failure to obtain satisfactory assurances from business associates that they would appropriately safeguard ePHI • No Risk Analysis performed • No BAA in place with vendor that provided Internet-based calendar • $100,000 resolution payment to HHS
Recent Enforcement Activities (cont’d) • Future Enforcement • OCR anticipates more aggressive enforcement • Attention on risk analyses • Mobile devices • Monetary settlements • Corrective Action Plans • Common Law • Post-breach private actions • State jurisdictions • Standards of harm vary (including lack thereof)
Audit Program Likely to Begin Again in 2014 • Pilot Program is currently under review for effectiveness • Lessons from Pilot Program will be implemented in future program • Future audits likely to include CEs and BAs • 1,200 candidates identified as potential audit targets • Two-thirds are CEs; one-third are BAs • Number of actual audits likely to be much less than 1,200 • Future audits likely to focus on Security Rule compliance • Failure to perform a thorough risk analysis is the biggest source of Security Rule violation
Understanding HIPAA Audits • NOT an investigation • Random • Does NOT indicate that a complaint has been filed or thatOCR is suspicious about the audit target • NOT intended to be confrontational • Covered Entities (and BAs) need to be prepared for Audits • Provide prompt and complete cooperation during Audit • Conduct regular self-audits to prepare (at least annually) • DOCUMENT compliance activities; make sure documentation is organized and accessible
What to Expect During an Audit • Notification letter • Auditee should confirm its authenticity • Letter will request documentation (10-day turnaround) • Letter will provide notice of a site audit (30 – 90 days from date of letter) • Site Visit • Interview of key personnel • Observations of processes and operations • Receipt of Draft Report/Opportunity to Respond (10 days) • OCR will not see draft report • Issuance of Final Audit Report • OCR will receive copy of final report, which incorporates the steps the auditee has taken to resolve any compliance issues identified by the audit and describes any best practice • Audit Protocol available on OCR’s website
Contact Information Jennifer Breuer, Partner Drinker Biddle & Reath LLP (312) 569-1256 Jennifer.Breuer@dbr.com David Mayer, Senior Advisor Drinker Biddle & Reath LLP (312) 569-1060 David.Mayer@dbr.com Sara Shanti, Associate Drinker Biddle & Reath LLP (312) 569-1258 Sara.Shanti@dbr.com Or, visit our website for more information at: www.DrinkerBiddleHealthCare.com
Thank you to our sponsor Iatric Systems Business Associate Manager™ manages the risk and workflow necessary for organizations to ensure due diligence with their business associate relationships. By monitoring and managing the risk of business associate agreement and providing alerts when agreements need updating. Business Associate Manager™ helps organizations protect patient privacy and build trust. Footer (edit using the slide master) |