1 / 29

HIPAA Privacy and Security Rules Updates

HIPAA Security Rule. Delegation of Authority July 27, 2009Streamline, unify, simplify investigation and resolution of casesAddress growing overlap of security/privacy in HT environmentSupport and cooperation of CMS to effectuate transfer of cases, system support, technical expertsOCR investiga

farhani
Download Presentation

HIPAA Privacy and Security Rules Updates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    2. HIPAA Security Rule Delegation of Authority – July 27, 2009 Streamline, unify, simplify investigation and resolution of cases Address growing overlap of security/privacy in HT environment Support and cooperation of CMS to effectuate transfer of cases, system support, technical experts OCR investigative staff in Regional Offices allows expansion of compliance review and on-site investigatory methods Security Rule addresses only ephi This is a big deal. Bigger than HITECH or at least more immediate. Will be bigger than Privacy Applies to ephi that a CE Creates, Receives, Maintains, Transmits Guiding principles -Ensure the confidentiality, availability and integrity of data CE must have and implement policies and procedures addressing Physical, Technical and Administrative safeguards More and more ephi Privacy and Security are 2 side of the same coin. Computer security and privacy officer must work together. Initially effective May 2005, at that time enforced by CMS. CMS’s approach “educational” OCR’s approach is to obtain compliance. CE must conduct a “risk analysis” 45cfr164.308(1)(ii)(A) Foundation document SR interrelated CE must address and/or meet standards standards are required or addressable addressable does not mean optional The SR does not have a provision regarding the disclosure of ephi. That is a PR rule concern. Overlap between SR and PR (530 Safeguards) OCR was looking at ephi under the PR prior to the issuance of the SR. Complaint about disclosure may well also be an SR issue Security Rule addresses only ephi This is a big deal. Bigger than HITECH or at least more immediate. Will be bigger than Privacy Applies to ephi that a CE Creates, Receives, Maintains, Transmits Guiding principles -Ensure the confidentiality, availability and integrity of data CE must have and implement policies and procedures addressing Physical, Technical and Administrative safeguards More and more ephi Privacy and Security are 2 side of the same coin. Computer security and privacy officer must work together. Initially effective May 2005, at that time enforced by CMS. CMS’s approach “educational” OCR’s approach is to obtain compliance. CE must conduct a “risk analysis” 45cfr164.308(1)(ii)(A) Foundation document SR interrelated CE must address and/or meet standards standards are required or addressable addressable does not mean optional The SR does not have a provision regarding the disclosure of ephi. That is a PR rule concern. Overlap between SR and PR (530 Safeguards) OCR was looking at ephi under the PR prior to the issuance of the SR. Complaint about disclosure may well also be an SR issue

    3. American Recovery and Reinvestment Act of 2009 Title 13: Health Information Technology for Economic and Clinical Health Act (HITECH Act) Subtitle A: Promotion of HIT through the Office of the National Coordinator for HIT (ONC) Subtitle B: Testing of HIT through the National Institute of Standards and Technology (NIST) Subtitle C: Grants and Loan Funding for Incentives for the Use of HIT Subtitle D: Privacy (Privacy Rule and Security Rule) Nomenclature issue ARRA contains a number of “Titles” among them Title 13 HITECH Subpart D is where the action isNomenclature issue ARRA contains a number of “Titles” among them Title 13 HITECH Subpart D is where the action is

    4. Some of the changes are a direct result of HITECH other changes due to other legislative mandatesSome of the changes are a direct result of HITECH other changes due to other legislative mandates

    5. HIPAA Privacy Rule Updates Regulatory Actions 2009 Breach Notification Guidance 4/2009 Breach Notification IFR 8/2009 Enforcement IFR 10/2009 GINA NPRM 10/2009 Regulatory Actions Scheduled for 2010 HITECH Privacy & Security Rule, including more Enforcement Rule changes, NPRM/Final Breach Notification Final Breach Guidance Annual Update Accounting for Disclosures from EHRs NPRM GINA Final

    6. Breach Notification 45 CFR 164 Subpart D HHS Issues RFI – April 2009 Guidance on Technologies/Methodologies for unusable, unreadable, indecipherable PHI (RFI) Request for information Secured v unsecured data Secured encrypted pursuant to standards put forth by NIST (National Inst for Standards and Technology) formerly Bureau of Standards destroyed Unsecured is not necessarily “bad” Note – Subpart D “Notification in the Case of Breach of Unsecured Protected Health Information if the data/information is secured and is lost/stolen/disclosed it is not a breach.(RFI) Request for information Secured v unsecured data Secured encrypted pursuant to standards put forth by NIST (National Inst for Standards and Technology) formerly Bureau of Standards destroyed Unsecured is not necessarily “bad” Note – Subpart D “Notification in the Case of Breach of Unsecured Protected Health Information if the data/information is secured and is lost/stolen/disclosed it is not a breach.

    7. Breach Notification IFR Covered entities must notify each affected individual of breach of “unsecured protected health information.” HHS Breach Notification Guidance: PHI is “unsecured” if it is NOT Encrypted Destroyed “Breach” defined as: Impermissible use/disclosure “Compromises privacy/security” Poses a significant risk of harm to the individual Exceptions for inadvertent, harmless mistakes IFR Interim Final Rule Unsecured sound like a bad thing, is not in and of itself a problem No requirement that phi must be “secured” Not all impermissible disclosures are breaches, but all breaches are impermissible disclosures Very important – breach and disclosure not the same. In Common parlance they are the same. But not legally. Inadvertent/harmless unintentional acquisition, use or access made in good faith acting under authority no further use or disclosure. ex. Billing clerk looks at a wrong file. Not a breach, but is an impermissible use Inadvertent disclosure by an individual who is authorized to another person who is authorized no further disclosure ex. Misdirected fax. Again an impermissible disclosure not a breach CE must perform a risk assessment to determine if disclosure is a breach…harm standard Risk assessment – breach Risk analysis- Security Rule IFR Interim Final Rule Unsecured sound like a bad thing, is not in and of itself a problem No requirement that phi must be “secured” Not all impermissible disclosures are breaches, but all breaches are impermissible disclosures Very important – breach and disclosure not the same. In Common parlance they are the same. But not legally. Inadvertent/harmless unintentional acquisition, use or access made in good faith acting under authority no further use or disclosure. ex. Billing clerk looks at a wrong file. Not a breach, but is an impermissible use Inadvertent disclosure by an individual who is authorized to another person who is authorized no further disclosure ex. Misdirected fax. Again an impermissible disclosure not a breach CE must perform a risk assessment to determine if disclosure is a breach…harm standard Risk assessment – breach Risk analysis- Security Rule

    8. Section 13402: Breach Notification Section 13402 of the HITECH Act 45 cfr Part 164, subpart D 164.400 et seq Over 500/under 500 Major media (“prominent”) Notice to HHS/OCR must be done using the breach notification form found on OCR’s web site. Notice provided by any other means does not fulfill the requirements of the regulation Law enforcement delay Law enforcement states to CE that notice or posting would impede a criminal investigator or harm national security a CE/BA may delay reporting or posting notice consistent with representation of law enforcement Post on OCR’s web site after initial verification of factsSection 13402 of the HITECH Act 45 cfr Part 164, subpart D 164.400 et seq Over 500/under 500 Major media (“prominent”) Notice to HHS/OCR must be done using the breach notification form found on OCR’s web site. Notice provided by any other means does not fulfill the requirements of the regulation Law enforcement delay Law enforcement states to CE that notice or posting would impede a criminal investigator or harm national security a CE/BA may delay reporting or posting notice consistent with representation of law enforcement Post on OCR’s web site after initial verification of facts

    9. Breach Reports Notifications to the Secretary required by web portal As of March 31, 2010, 62 reports of breaches affecting 500+ individuals reported, resulting in approx. 750,000 notices Mostly ePHI that is contained in lost or stolen unencrypted media or portable device Also received over 5000 reports of smaller breaches Mostly paper records sent to wrong fax number, wrong address, wrong individual OCR processing 500+ verify and investigate <500 regional discretion 500+ posting on OCR website investigating underlying disclosure/security rule OCR verifies before putting on web site Some CEs indicate that the report was made in error, not a breach etc must proveOCR processing 500+ verify and investigate <500 regional discretion 500+ posting on OCR website investigating underlying disclosure/security rule OCR verifies before putting on web site Some CEs indicate that the report was made in error, not a breach etc must prove

    10. 10 FTC Breach Notification for PHRs FTC to regulate similar notice requirements for PHR vendors not subject to HIPAA FTC Notice of Proposed Rulemaking Published April 2009; Request for Public Comment due June 1, 2009 FTC Final Rule published August 2009 HHS and FTC to study and recommend to Congress privacy and security requirements for non-HIPAA PHR vendors and best oversight PHR Personal Health Record google, etc As opposed to EHR PHR Personal Health Record google, etc As opposed to EHR

    11. 11 Improved Enforcement HITECH Act, Sections 13410 and 13411: Noncompliance Due to Willful Neglect Distribution of Certain Civil Monetary Penalties Transfer to OCR for Enforcement Percentages to Harmed Individuals Tiered Increases in Civil Monetary Penalties Enforcement by State Attorneys General Periodic Audits Criminal Penalties for Individuals (Employees) Other: Secretary’s Delegation of Security Rule Enforcement to OCR – July 27, 2009

    12. Enforcement Framework in Complaint Investigation The Enforcement Rule 71 FR 32, P.8390 (Feb. 16, 2006) Revised 74 FR, P.56123 (October 30, 2009) Enforcement Rule modified to implement changes mandated by HITECH Act The Enforcement Rule applies to both the Privacy & Security Rules Civil Monetary Penalties can be imposed by OCR

    13. Enforcement Rule IFR Section 13410(d) of the HITECH Act Effective February 18, 2009 Strengthened HIPAA’s CMP Scheme by: Creating tiers of increasing penalty amounts that are associated with categories of culpability The changes made in the Enforcement Rule are made so that the language in the Rule matches the language in the statute. The statute has not be “interpreted” rather The changes made in the Enforcement Rule are made so that the language in the Rule matches the language in the statute. The statute has not be “interpreted” rather

    14. CMPs Increased 45 CFR 160.404 - Amount of a Civil Money Penalty What HITECH did was to harmonize the civil and criminal CMP schemesWhat HITECH did was to harmonize the civil and criminal CMP schemes

    15. Modifications to the Enforcement Rule Lost/stolen data of 675 individuals – how many violations 1?? 675?? CE doesn’t have a policy/procedure – a violation for each day the CE didn’t have the policy/procedure?? Rule (either SR or Pr) has been effective for some number of years – failure to have policies/procedures seen as willful neglect Lost/stolen data of 675 individuals – how many violations 1?? 675?? CE doesn’t have a policy/procedure – a violation for each day the CE didn’t have the policy/procedure?? Rule (either SR or Pr) has been effective for some number of years – failure to have policies/procedures seen as willful neglect

    16. 16 CMP Categories If “person did not know” or “by exercising reasonable diligence would not have known.” If the violation was “due to reasonable cause and not to willful neglect.” If the violation is due to willful neglect, and is corrected during 30-day time period. If the violation is due to willful neglect, and is not corrected during 30-day time period. The category determination is part of OCR’s investigation and is driven by facts and circumstances of a particular incident.The category determination is part of OCR’s investigation and is driven by facts and circumstances of a particular incident.

    17. Amount of a Civil Money Penalty 45 C.F.R. § 160.404(b)

    18. More Information Enforcement Interim Final Rule (74 FR 56123) http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html

    19. HITECT Act Section 13410(e): State Attorneys General Jurisdiction State Attorney General (AG) may bring an action in federal court on behalf of state residents to: enjoin defendant from further violation; or obtain damages (of $100 per violation). State must serve prior written notice upon HHS. HHS may intervene in the state action. If HHS has already instituted an action against defendant, State AG may not bring action while HHS action ongoing.

    20. State Attorney General First complaint filed by CT SAG under HITECH authority Injunctive relief, statutory penalties sought Combination of HIPAA and state law Security Rule violations alleged in loss/theft of portable media Privacy Rule violations alleged in access State law breach notification claims Now 2 such cases both in Conn. If OCR starts first SAG must wait Must notify OCR OCR may interveneNow 2 such cases both in Conn. If OCR starts first SAG must wait Must notify OCR OCR may intervene

    21. HIT HIPAA Privacy Changes Business Associates: Liable for compliance with Security Rule and uses and disclosures under Privacy Rule; HIEs, certain PHR and others transmitting data are business associates Effective 2/2010 Right to Electronic Access: If covered entity uses an EHR, individual has a right to a copy of his PHI in electronic format. Effective 2/2010 Accounting for TPO Disclosures: If covered entity maintains an electronic health record (EHR), covered entity must include in an accounting disclosures through the EHR for treatment, payment, and health care operations for the three years prior to the request. Effective Date: Depends on CE’s adoption of EHR BA over due, going through the regulatory process sec 13404 about 25 lines BA that obtains or creates PHI uses and disclosures must be consistent with BA agreement and reg Electronic access Accounting – paper 6 yearsBA over due, going through the regulatory process sec 13404 about 25 lines BA that obtains or creates PHI uses and disclosures must be consistent with BA agreement and reg Electronic access Accounting – paper 6 years

    22. Other HIPAA Privacy Changes Right to Restriction: Covered entity must comply with individual’s request for restriction if disclosure: (1) is to health plan for payment or health care operations and (2) pertains to item/service for which provider was paid in full “out-of-pocket.” Effective 2/2010 Marketing: Places additional restrictions on covered entity making certain communications about products or services, where entity receives payment in exchange for communication. Effective 2/2010 Fundraising: Covered entity’s fundraising communications must provide clear opportunity for individual to opt out of future communications. Effective 2/2010 Right to restriction IMPORTANT now CE Must honor request if request for restriction is to plan for payment hco and provider was paid. Previously the PR provided the individual with the right to request a restriction, CE had the right to refuse the restriction. No longer the case. Marketing 13406 not considered hco if CE is paid to make the communication the definition of marketing excludes a number of communications from the category of marketing. That is no longer the case if the CE is paid to make such a communication In general a CE may communicate about a product or service it offers, however if the CE is paid by a 3rd party to make such a communication the communication is considered marketing 13406 Fundraising – opt out provisionsRight to restriction IMPORTANT now CE Must honor request if request for restriction is to plan for payment hco and provider was paid. Previously the PR provided the individual with the right to request a restriction, CE had the right to refuse the restriction. No longer the case. Marketing 13406 not considered hco if CE is paid to make the communication the definition of marketing excludes a number of communications from the category of marketing. That is no longer the case if the CE is paid to make such a communication In general a CE may communicate about a product or service it offers, however if the CE is paid by a 3rd party to make such a communication the communication is considered marketing 13406 Fundraising – opt out provisions

    23. Other HIPAA Privacy Changes Minimum Necessary: Covered entity must limit PHI, to extent practicable, to limited data set, or, if necessary, to minimum necessary. HHS to issue guidance on what constitutes minimum necessary. Sale of PHI: No direct or indirect remuneration in exchange for PHI, unless the individual signed an authorization; exceptions for public health, research, treatment, sale of business, business associate activities, individual access, and others as determined by Secretary. Effective Date: Regulations required within 18 months after enactment; provisions apply 6 months later. Min Necessary section 13405 no guidance as of yet statutory deadline for guidance due 8/2010 Sale of PHI Min Necessary section 13405 no guidance as of yet statutory deadline for guidance due 8/2010 Sale of PHI

    24. Section 13411: Audits Secretary must provide for periodic audits of covered entities and business associates to ensure that they are in compliance with the Privacy Rule and the Security Rule requirements.

    25. Education on Health Information Privacy Regional Office Privacy Advisors for education and guidance to covered entities, their business associates and individuals on privacy and security of PHI Multi-faceted National Education Initiative on health information privacy to enhance public transparency regarding uses of PHI, including programs to educate individuals about potential uses of their PHI, the effects of such uses, and their privacy rights with respect to such uses

    26. Genetic Information Genetic Information Non-Discrimination Act Signed into law May 21, 2008 To protect individuals from discrimination in health insurance and employment on the basis of genetic information Mandates modification of the Privacy Rule to incorporate provisions specific to genetic information Genetic information is protected health information; Prohibit the use or disclosure of genetic information for underwriting

    27. GINA NPRM NPRM issued 10/01/2009 Together with IFR for GINA protections from health plan discrimination issued by HHS/CMS, DOL, and Treasury (IRS) EEOC Final Rule for GINA protections from employer discrimination in clearance

    28. Status of All Complaints

    29. Total Investigated Resolutions

    30. 30 Want More Information? The OCR website: http://www.hhs.gov/ocr/privacy/

More Related