1 / 73

HIPAA/HITECH Update

HIPAA/HITECH Update. By LYNDA M. JOHNSON Friday, Eldredge & Clark. HITECH Act – Privacy and Security. Extended the reach of the HIPAA Privacy and Security Rules to business associates (BAs) Imposed breach notification requirements on HIPAA covered entities (CEs) and BAs

Download Presentation

HIPAA/HITECH Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA/HITECH Update By LYNDA M. JOHNSON Friday, Eldredge & Clark

  2. HITECH Act – Privacy and Security • Extended the reach of the HIPAA Privacy and Security Rules to business associates (BAs) • Imposed breach notification requirements on HIPAA covered entities (CEs) and BAs • Limited certain uses and disclosures of protected health information (PHI) • Increased individuals’ rights with respect to PHI maintained in EHRs • Increased enforcement of, and penalties for, HIPAA violations

  3. The HIPAA Omnibus Final Rule • On July 14, 2010, HHS published a notice of proposed rulemaking (the “Proposed Rule”) that would modify the HIPAA Privacy, Security and Enforcement Rules • After much delay, HHS published the HIPAA Omnibus Final Rule on January 25, 2013 • Amends the Privacy, Security, Enforcement and Breach Notification Rules • Also makes conforming changes pursuant to the Genetic Information Nondiscrimination Act of 2008 (GINA) • The Final Rule implements the requirements of the HITECH Act and largely adopts the Proposed Rule without major changes.

  4. Compliance Dates • Final Rule became effective March 26, 2013 • Compliance was required by September 23, 2013

  5. Business Associates • HITECH imposes new privacy and security obligations on BAs and personal health record companies • To increase consumer confidence in EHRs and PHRs, companies that provide those products and aid in electronic transmission of PHI are subject to more direct privacy and security regulation

  6. Business Associates Satisfactory Assurances • A covered entity may disclose protected health information to business associates if it obtains “satisfactory assurances” that business associates will appropriately safeguard the information • Business associate contract required

  7. Use and Disclosure — Who Is a Business Associate? • A person acting on behalf of a covered entity who — • Creates, receives, maintains or transmits PHI • For a function or activity regulated by HIPAA (a covered entity function) • Provides certain identified services to a covered entity Billing Firms Lawyers, Actuaries Outsourcing Vendors Accountants, Auditors Financial Services Covered Entity Clearinghouses Management Firms Consultants, Vendors Accreditation Organizations • BAs may also be covered entities • This is the Final Rule’s newly tweaked definition

  8. No Business Associate Relationship • Workforce • Provider and plan • Provider and provider for treatment • Hospital and medical staff member • Group health plan and plan sponsor • Financial institutions • Due diligence activities • Members of “organized health care arrangements” • “Conduits” (mail services and electronic equivalents) that only access PHI on a “random or infrequent” basis

  9. The “Conduit” Exception • OCR notes that exception is limited to services that transmit PHI • Even when there is temporary storage of the transmitted data related to the transmission • A company that only maintains PHI on behalf of a covered entity is a BA, even if the entity does not actually view the PHI • Examples: Data storage company, cloud computing provider

  10. Expanded Definition of Business Associates • Definition of “business associate” now includes: • Patient safety organizations under the Patient Safety and Quality Improvement Act of 2005 • Organizations that provide data transmission of PHI to a covered entity, such as Health Information Organizations and E-prescribing Gateways and that require routine access to PHI • PHR vendors acting on behalf of a CE • Subcontractors to a BA that create, receive, maintain or transmit PHI on behalf of a BA

  11. BUSINESS ASSOCIATE Security Rule Compliance Necessary steps for Security Rule compliance: Conducting a formal security risk assessment; Implementing written policies and procedures with respect to Security Rule standards; Providing security training to workforce members; Amending BAAs to include provisions required by the Security Rule; and Appointing a Security Officer to oversee Security Rule compliance efforts

  12. BA Liability • BAs may be directly liable for: • Uses and disclosures of PHI in violation a BAA or the Privacy Rule (including more than minimum necessary) • Failing to comply with the Security Rule • Failing to provide breach notification to a CE • Failing to disclose PHI to the Secretary of HHS to investigate compliance • Failing to disclose PHI to comply with an individual’s request for an electronic copy of PHI • Failing to contract with subcontractors

  13. BA Privacy Rule Compliance • Written privacy policies and procedures addressing BA privacy obligations are not strictly required, but are prudent • Addressing minimum necessary standard, storing paper PHI, faxing and document destruction practices, etc. • Given the significant liability risks associated with security breaches, a written breach response plan tracking HIPAA/HITECH requirements is also recommended

  14. Subcontractor BAAs • Prior to HITECH, BAs were required to “ensure” that a subcontractor “agree” to the same privacy and security obligations that apply to a BA with respect to PHI • Written agreements between BAs and subcontractors are common, but not strictly required • Final Rule requires that a BA enter into a written agreement with a subcontractor ensuring compliance with applicable Privacy and Security Rule requirements

  15. Subcontractor BAAs (cont.) • Obligation to enter into a BAA with a subcontractor rests solely with the BA, not the CE • The form of a “downstream” subcontractor BAA is identical to an “upstream” BAA between a CE and a BA

  16. “Downstream” Business Associate Agreements Each downstream subcontractor BAA must be at least as stringent as the primary BAA between a BA and the CE

  17. BAA Transition Period • If a BAA compliant with prior HIPAA requirements was entered into prior to the publication date of the Final Rule (Jan. 25, 2013) AND • The BAA is not renewed or modified between March 26-Sept. 23, 2013 THEN • The BAA will be deemed compliant until the EARLIER of: • The date the contract is renewed or modified on or after Sept. 23, 2013 OR Sept. 23, 2014

  18. BAA Liability • Final Rule amends the Enforcement Rule to provide that BAs may be directly liable for civil money penalties for violations of the Privacy and Security Rules • BAs will be liable, in accordance with the federal common law of agency, for violations based upon the acts or omissions of agents • Includes workforce members and subcontractors • But must be acting within the scope of agency

  19. CE Liability – Final Rule • The Final Rule makes CEs liable for actions of BAs acting as agents under the federal common law of agency, just as BAs will be liable for actions of subcontractor • For BAs that are “independent contractors,” rather than “agents,” CEs will have an affirmative defense to these liabilities if they can show no willful neglect and timely corrective action • Hard to apply the agency principle with certainty because it requires evaluating the degree of control that the CE exercises over the BA’s conduct

  20. When Is a BA an Agent? • In commentary to the Final Rule, OCR states that the “essential factor” in determining whether an agency relationship exists is the right of the CE to control the conduct of the BA in performing its services • OCR says that the ability of a CE to give interim instructions or directions suggests an agency relationship

  21. When Is a BA an Agent? (cont.) • If a BA performs it duties strictly in accordance with the terms of its agreement and any change in duties requires a contract amendment, then the BA is probably not an agent • CE can be liable for the actions of an agent BA even in the absence of a business associate contract

  22. Accretive Health Settlement • January 2012: Minnesota AG brings enforcement action against Accretive Health, Inc., a business associate, using authority under HITECH statute • Accretive had a laptop stolen containing approx. 23,500 patients’ records • In capacity as BA to two Minnesota health systems • AG sought to use authority under HITECH statute in the first such action against at BA

  23. The Settlement • July 30, 2012: Minnesota AG and Accretive reach settlement • Accretive ceases doing business in Minn. for two years • And for the next four years, Accretive can reenter state only with permission of AG and after entering into a consent decree • $2.5 million settlement payment placed in restitution fund for patients

  24. The Takeaways • Some state AGs may take a similarly aggressive approach to enforcement and BAs should be prepared • A formal HIPAA security compliance program is not required of a BA today according to OCR • But an AG may take a different view • An AG HIPAA enforcement action can lead to a more wide-ranging investigation and charges under state laws • In Accretive, this included charges under Minn. consumer protection laws over alleged aggressive collection practices • AGs may interpret HIPAA and HITECH in novel ways – such as asserting a current, affirmative duty of a BA to enter into a BAA

  25. HIPAA Pilot Audit Program • HITECH required that HHS conduct periodic audits to ensure compliance with HIPAA • OCR implemented the requirement through a pilot program of 115 audits from November 2011 through December 2012 • First wave of audits applied to CEs only • BAs will be subject to future audits • It will be interesting to see how BAs are selected for audit, given the wide variety of businesses that qualify as BAs

  26. The Rest of the HITECH Story • Breach notification standards • Penalty structureand enforcementprocess • Business associate requirements • Limits on disclosures to health insurers • Sale of PHI limits • Marketinglimits • Fundraising limits • Genetic info limits (health insurers) • Disclosures regardingdeceased persons • Disclosures forschoolimmunizations • Newrules re researchauthorizations • Individual rights to electronic PHI • Notice of privacypractices requirements

  27. Deceased Persons “Protected health information” is defined to exclude information about a person who has been deceased for more than 50 years.

  28. Deceased Persons (cont.) • If an individual is deceased, a covered entity may disclose PHI about the decedent to a family member, relative, close personal friend, or other person involved in the decedent’s healthcare or payment for care prior to the decedent’s death if: • Disclosure is not inconsistent with prior expressed wishes of the decedent known to the covered entity, and • PHI is relevant to the recipient’s involvement in the decedent’s healthcare or payment for care.

  29. Deceased Persons (cont.) • “Family member” means • Dependent. • Person who is first, second, third or fourth- degree to the individual or of a dependent of the individual. • Applies to both relatives by blood and by marriage. • Applies to step-relatives as with full relatives.

  30. School Immunizations • Covered entity may disclose proof of immunization to a school if: • PHI disclosed is limited to proof of immunization; • School is required by state or other law to have such proof of immunization prior to admitting the individual; • Covered entity obtains agreement to disclosure from either: • The individual, if emancipated or an adult; or • A parent, guardian or other person acting in loco parentis if the individual is an unemancipated minor. • Covered entity documents the agreement.

  31. Restrictions on Disclosure of PHI to Health Insurers Covered entity must agree to an individual’s request to restrict disclosure of PHI to a health plan if: • The PHI pertains solely to a health care item or service for which the individual, or another person on the individual’s behalf, paid the covered entity in full; and • Disclosure is for the purpose of carrying out the health plan’s payment or health care operations and is not otherwise required by law.

  32. Restrictions on Disclosure of PHI to Health Insurers (cont.) • HHS acknowledged the operational problems with the new rule, but concluded providers should already have methods to flag records under minimum necessary standard. • Only applies to disclosures to health plans, not others. • Does not apply if disclosure is otherwise required by law, e.g., Medicare audits, payment conditions, etc.

  33. Restrictions on Disclosure of PHI to Health Insurers (cont.) • Provider may require payment in full before the individual may invoke the requirement. • If cannot unbundle, notify individual that they must pay entire bill to trigger rule. • Individual is responsible for notifying downstream providers.

  34. Restrictions on Disclosure of PHI to Health Insurers (cont.) • The restriction only applies if the individual requests the restriction. • Must include a statement advising the individual of the restriction in the notice of privacy practices, but most individual’s don’t read the notice. • Don’t ask the individual!

  35. Sale of PHI • Covered entity or business associate may not sell PHI unless: • They obtain individual’s prior written authorization, and • Authorization discloses that the covered entity will receive remuneration in exchange for PHI. • “Sale of PHI” means disclosure of PHI by a covered entity or business associate if they receive directly or indirectly any remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI.

  36. Sale of PHI (cont.) • “Sale of PHI” does not include disclosures: • To the individual who is the subject of the PHI. • For treatment or payment purposes. • Required by law. • As part of the sale, transfer, merger, or consolidation of the covered entity and related due diligence. • To or by a business associate and the remuneration is to pay for the business associate’s activities. • For certain public health purposes. • For purposes permitted by HIPAA if the only remuneration received is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes or a fee otherwise expressly permitted by other law.

  37. Sale of PHI (cont.) • Sale of PHI does not include payments per arrangements to perform services where disclosure of PHI is a byproduct of the service, e.g., • Grants for program or perform activities. • Research studies. • Participation in health insurance exchange. • Sale of accounts receivable to collection agency.

  38. Marketing • Covered entity and business associate must obtain an authorization for any use or disclosure of PHI for marketing. • “Marketing” means a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

  39. Marketing (cont.) • If marketing involves financial remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. • “Financial remuneration” means direct or indirect payment by the third party whose product or service is being described.

  40. Marketing (cont.) • “Marketing” does not include a communication made: • To provide refill reminders or communicate about a drug that is currently being prescribed for the individual. • Any financial remuneration must be reasonably related to the cost of making the communication.

  41. Marketing (cont.) • For the following treatment and health care operations purposes unless the covered entity receives financial remuneration for the communication: • Treatment, including case management, care coordination, or recommend treatment alternatives; or • To describe health related product or service provided by the covered entity.

  42. Marketing (cont.) • No authorization is required for the following marketing communications even if financial remuneration is received for making the communication: • Face-to-face communication made by a covered entity to an individual. • Not via telephone, text, internet, fax, etc. • A promotional gift of nominal value provided by the covered entity.

  43. Marketing (cont.) • No authorization is required for communications: • Promoting health in general, not a product or service. • About government-sponsored programs.

  44. Fundraising • Subject to certain conditions, a covered entity may disclose the following PHI to a business associate or institutionally related foundation for purpose of raising funds for its own benefit without an authorization: • Name, address, contact info, age, gender and birthdate; • Dates of healthcare provided to the individual; • Department of service information; • Treating physician; • Outcome information; and • Health insurance status.

  45. Fundraising (cont.) • To use PHI for fundraising, covered entity: • Must include statement notifying individual of fundraising in covered entity’s notice of privacy practices. • With each fundraising communication, must provide clear and conspicuous opportunity to opt out of fundraising. • Method for opting out cannot cause undue burden or more than nominal cost (e.g., toll-free number, e-mail).

  46. Fundraising (cont.) • May not condition treatment or payment on participation in fundraising. • May not make fundraising communications to individuals who opt out. • May notify individuals of method to opt back in

  47. Research: Compound Authorizations • May combine authorizations to use or disclose PHI for a research study with any other type of permission for the same or another research study (i.e., may use a compound authorization), including: • Consent to participate in research, • Another authorization for the same research study, or • An authorization for the creation or maintenance of a research database or repository.

  48. Research: Compound Authorizations If compound authorization conditions treatment on participation in research, must clearly identify conditioned components and give individual an opportunity to opt in to the unconditioned research activities.

  49. Research: Authorizing Future Research • Research authorization may allow use or disclosure of PHI for purposes of future research. • Authorization “purpose” need not be limited to the current study. • This is a change in HHS interpretation.

  50. Individual Access to PHI • Extension for off-site records is deleted. • Covered entities must generally respond to request for access within 30 days. • May obtain one 30-day extension.

More Related