780 likes | 886 Views
HITECH’s Changes to HIPAA. September 22, 2010 Carole D. Christian Erin Brisbay McMahon. HITECH’s Changes to HIPAA. DISCLAIMER.
E N D
HITECH’s Changes to HIPAA September 22, 2010 Carole D. Christian Erin Brisbay McMahon
HITECH’s Changes to HIPAA DISCLAIMER The information in the following slides is a summary, and is not intended to cover all the fine points of HIPAA, the HITECH Act, or their implementing regulations. Accordingly, it is not intended to be legal advice, which should always be obtained in direct consultation with an attorney.
HITECH’s Changes to HIPAA • Health Information Technology for Economic and Clinical Health Act (HITECH) • Enacted February 17, 2009 • Many changes to HIPAA’s (Health Insurance Portability and Accountability Act) Privacy and Security Rules
HITECH’s Changes to HIPAA • Important to understand the hierarchy of: • Statutes (U.S.C.) (e.g., HITECH, HIPAA) • Final Rules (C.F.R.) (e.g., HIPAA Privacy Rule, HIPAA Security Rule) • Interim Final Rule (e.g., Data Breach Rule, Enforcement Rule) • Notice of Proposed Rulemaking (e.g., HITECH Rule)
HITECH’s Changes to HIPAA New HIPAA/HITECH Rules • Data Breach Rule - http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf • Enforcement Rule - http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf • Proposed HITECH Rule - http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf
HITECH’s Changes to HIPAA When Are These Changes Effective? • Increased Penalties – February 18, 2009 • Data Breach Regulations – effective date of September 23, 2009 • Enforcement Regulations – effective date of November 30, 2009 • HITECH statutory requirements with an effective date of February 18, 2010 – HHS representatives have said they won’t enforce until six months after effective date of the final HITECH rule (yet to be issued) – HHS only? • Willful neglect mandatory penalties – February 18, 2011 (reachback to February 18, 2009)
HITECH’s Changes to HIPAA ENHANCEDENFORCEMENT OF HIPAA
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties • Historically, HIPAA enforcement has been complaint driven. To date, no civil monetary penalties have been imposed. Three “resolution agreements” have been reached • ARRA appropriated $24.3 billion to the privacy and security goals. Of this amount, $9.5 billion is set aside to fund proactive HIPAA compliance audits by the Office for Civil Rights and CMS.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Under HITECH, potential civil monetary penalties are increased significantly, but are tiered to take into account the intent of the violator. The tiers are as follows: • Tier A: if the violator did not know (and by exercising reasonable diligence would not have known) that its actions violated the HIPAA laws or regulations, a penalty of at least $100 per violation (except that the total amount of a fine cannot exceed $25,000 for multiple violations of any one requirement or prohibition), not to exceed $50,000 per violation (except that the total amount of a fine cannot exceed $1,500,000 for multiple violations of any one requirement or prohibition).
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Proposed Rule, Tier A Example: • A Covered Entity (CE) with a direct treatment relationship with an individual patient failed to provide the patient a complete Notice of Privacy Practices (NPP). • HHS’s investigation revealed that the CE had a compliant NPP in place along with proper policies and procedures and had appropriately trained its workforce. • The violation resulted from an isolated incident (a printing error) affecting only a small number of patients.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Proposed Rule, Tier A Example: • A Business Associate (BA) failed to terminate a former employee’s access privileges to electronic protected health information (EPHI). • HHS’s investigation revealed that the BA’s policies and procedures were properly drafted, and that the BA attempted to terminate the former employee’s access, but it accidentally terminated access of a current employee with the same last name.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Proposed Rule, Example of Tier A: • A hospital employee accessed the paper medical records of his ex-spouse while he was on duty to discover her current address for a personal reason, knowing that access was not permitted by the Privacy Rule and was contrary to hospital policies and procedures. • HHS’s investigation revealed that the CE had appropriate and reasonable safeguards regarding employee access to medical records, and that it had delivered appropriate training to the employee. • Therefore, this is a Tier A violation. The employee’s knowledge is not imputed upon the hospital because the employee was acting outside the scope of his employment.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Tier B: If the violation was due to reasonable cause and not willful neglect, a penalty of at least $1,000 per violation (except that the total amount of a fine cannot exceed $100,000 for multiple violations of any one requirement or prohibition), not to exceed $50,000 per violation (except that the total amount of a fine cannot exceed $1,500,000 for multiple violations of any one requirement or prohibition). • Proposed Rule further defines “reasonable cause” • Includes situations where it is unreasonable for the CE or BA to comply, despite the exercise of ordinary business care and prudence. • Includes situations where a CE or BA has knowledge of the violation but lacks the conscious intent or reckless indifference associated with willful neglect.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Proposed Rule, Tier B Example: • CE received an individual’s request for access but did not respond within the appropriate time period. • HHS’s investigation revealed that the CE had compliant access policies and procedures in place, but that it received an unusually high volume of requests for access within the time period in question. • While the CE responded to the majority of access requests in the time period within a timely manner, it failed to respond to several requests in time. • The CE responded in a timely manner to all subsequent requests it received subsequent to the time period in which the violations occurred.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Proposed Rule, Tier B Example: • CE presented an authorization form to a patient for signature to permit a disclosure for marketing purposes that did not contain the core elements required under HIPAA. • HHS’s investigation revealed that the CE was aware of the requirement for an authorization for a use or disclosure of PHI for marketing and had attempted to draft a compliant authorization. • Unless resolved by informal means, HHS would have grounds to find that this violation was due to “reasonable cause”
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Tier C: If the violation was due to willful neglect and is corrected, a penalty of at least $10,000 per violation (except that the total amount of a fine cannot exceed $250,000 for multiple violations of any one requirement or prohibition), not to exceed $50,000 per violation (except that the total amount of a fine cannot exceed $1,500,000 for multiple violations of any one requirement or prohibition). • Willful neglect – conscious, intentional failure or reckless indifference to the obligation to comply with the provision violated. Actual knowledge that a violation occurred, not just knowledge about the facts of a violation.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Tier D: If the violation was due to willful neglect and is not corrected, a fine of $50,000 per violation (except that the total amount of a fine cannot exceed $1,500,000 for multiple violations or any one requirement or prohibition).
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Proposed Rule, Tier C or D Example of “Willful Neglect”: • CE disposed of several hard drives containing ePHI in an unsecured dumpster in violation of HIPAA’s Security and Privacy Rules. • HHS’s investigation revealed that the CE failed to implement any policies and procedures to reasonably and appropriately safeguard ePHI during the disposal process.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Proposed Rule, Tier C or D Example of “Willful Neglect” • CE failed to respond to an individual’s request that it restrict its uses and disclosures of the individual’s PHI. • HHS’s investigation revealed that the CE did not have any policies and procedures in place for consideration of the restriction requests it received and refused to accept any requests for restrictions from individual patients who inquired. • The refusal to accept any requests would be grounds for a separate finding of a violation due to willful neglect.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Proposed Rule, Tier C or D Example of “Willful Neglect”: • CE’s employee lost an unencrypted laptop that contained unsecured PHI. • HHS’s investigation revealed that the CE feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required under the Data Breach Notification Rule.
HITECH’s Changes to HIPAA • Stiffer Enforcement Program & Penalties (cont’d) • Proposed Rule, Tier C Example of “Correction” • CE or BA has inadequate safeguards, policies and procedures and this results in an impermissible disclosure. • The disclosure violation itself cannot be fully corrected. • However, the safeguards violation can be corrected if the noncompliant policies and procedures are brought into compliance. • Corrective action will always be required of a CE or BA.
HITECH’s Changes to HIPAA • Criminal Penalties • Criminal penalties of up to $50,000 and up to one year in prison, or both, must be imposed if a person knowingly and in violation of the HIPAA security rule, privacy rule, or data breach rule wrongfully obtains individually identifiable health information relating to an individual or wrongfully discloses individually identifiable information to another person.
HITECH’s Changes to HIPAA • Criminal Penalties (cont’d) • These penalties increase to up to $100,000 and up to five years in prison or both if the information was obtained under false pretenses, and up to $250,000 and up to ten years in prison or both if the violation involves commercial advantage, personal gain, or malicious harm.
HITECH’s Changes to HIPAA • State Attorney General Actions • State Attorneys General may now file a civil action against HIPAA violators on behalf of residents of their state for statutory damages determined by multiplying the number of violations by an amount up to $100. The total amount of damages imposed for all violations of an identical requirement or prohibition in one calendar year may not exceed $25,000. • Connecticut’s Attorney General is aggressively pursuing HIPAA violations.
HITECH’s Changes to HIPAA • In January 2010, Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. The parties settled in July 2010. • Health Net of Connecticut’s settlement included: • two years of consumer credit monitoring • $1 million of identity theft insurance and reimbursement for the costs of security freezes • “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA • $250,000 payment to the state in statutory damages • Additional $500,000 contingent payment to the state should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members. • Attorney General Blumenthal has since announced investigations of Griffin Hospital, Yale University Medical School, and the University of Connecticut.
HITECH’s Changes to HIPAA • “Qui Tam” Actions • The GAO is directed to prepare a report within 18 months of HITECH’s enactment establishing a method for allowing affected individuals to share in civil monetary penalties imposed under HIPAA or settlements. • HHS must adopt such methodology within 3 years of HITECH’s enactment. This will increase incentives to file complaints for violations of HIPAA—much like whistleblower suits under the False Claims Act.
HITECH’s Changes to HIPAA • We are already seeing increased criminal enforcement • October 2008—an Arkansas physician and two hospital employees accessed the medical records of a high profile patient at the hospital where they worked. • After hearing the patient’s story on the news, Dr. Jay Holland, the Medical Director of Select Specialty Hospital, accessed the patient’s records from his home computer. The hospital suspended his privileges for 2 weeks and required on-line HIPAA training. • One hospital employee (ER coordinator - fired) accessed the patient’s records 3 times in one day after being told to set up an alias for the patient and the other accessed them 12 times (patient registration person at offsite clinic - fired).
HITECH’s Changes to HIPAA • Increased criminal enforcement (cont’d) • The doctor and employees had all been trained on HIPAA privacy laws (KEY for you). Can you document attendance for each of your employees? • They each admitted that they had no legitimate purpose for accessing the records. • Each stated that they accessed the patient’s files out of curiosity.
HITECH’s Changes to HIPAA • Stiffer Penalties Are Now Being Enforced • Each pled guilty to a misdemeanor violation of HIPAA • Each faced a maximum penalty of 1 year in prison, a fine of up to $50,000 or both. • Judge sentenced all to one years’ probation. Doctor was fined $5,000 and ordered to perform 50 hours community service; one employee was fined $2500, the other was fined $1500.
HITECH’s Changes to HIPAA • Prison time for just snooping • A former UCLA Health System researcher, Huping Zhou, was sentenced to four months in prison for illegally perusing the medical records of co-workers and celebrities. • Zhou is licensed as a cardiothoracic surgeon in China and worked as a research assistant at one of UCLA's facilities. In October 2003, Zhou was notified that he would be terminated. Over the next three weeks he abused his access to the computer system to look up health information of patients, most of them celebrities and people Zhou worked with, he admitted in a plea agreement with prosecutors. • An investigation by the California Center for Health Care Quality indicated that the peeking was widespread, concluding that UCLA workers inappropriately accessed the records of 1,041 patients, and 165 employees were terminated, suspended or warned.
HITECH’s Changes to HIPAA Data Breach Notification Law and Regulations (In Effect)
HITECH’s Changes to HIPAA • Affirmative breach notification obligations • Effective Date of Final Interim Rule was September 23, 2009. • The HHS Final Rule on breach notification was submitted to the OMB on May 14, 2010 • However, HHS has withdrawn the Final Rule because of its disagreement with Congress about whether to include the harm analysis in the Rule (HHS wants it, Congress doesn’t). • Interim Final Rule remains in effect, including the harm analysis, until a final rule is published.
HITECH’s Changes to HIPAA • Affirmative breach notification obligations (cont’d) • OLD LAW: HIPAA did not explicitly require breach notification. • Under HITECH, Covered Entities & Business Associates must develop a notification process to deal with breaches of unsecured protected health information (PHI). • Unsecured PHI is information that is not encrypted or has not been destroyed.
HITECH’s Changes to HIPAA • Affirmative Breach Notification Obligations • HITECH is broader than most relevant state notification laws because: • Applies to breaches (violation of HIPAA privacy rule) involving any kind of PHI held by covered entities (rather than specific categories—such as social security number); and • Requires Covered Entities to determine if the breach poses a significant risk of financial, reputational, or other harm to the individual – if not, no breach has occurred. Must keep documentation of determination 6 years from the date the determination is finalized.
HITECH’s Changes to HIPAA • PRACTICAL TIPS: • Develop a data breach response plan before something happens • Assign compliance responsibility with a backup team • Develop internal investigation procedures (involve legal immediately for privilege purposes) and don’t let an investigation languish • Decide in what situations law enforcement will be called • Develop a PR strategy • Decide whether to set up a call center for large data breaches • Develop a form letter for informing patients
HITECH’s Changes to HIPAA • Exceptions to Affirmative Breach Notification Obligations • If a Limited Data Set (stripped of 16 identifiers) is improperly used or disclosed, that does not constitute a breach if zip codes or dates of birth were also removed. • Covered Entity must document that the lost information did not include any of these identifiers.
HITECH’s Changes to HIPAA • Exceptions to Affirmative Breach Notification Obligations – must document why you qualify • An unintentional acquisition, access or use of PHI by a workforce member acting under the authority of a covered entity or a business associate, if the acquisition, access, or use was made in good faith, within the course and scope of employment or other professional relationship, and does not result in a further use or disclosure not permitted by the Privacy Rule. • Example: Nurse mistakenly sends an e-mail containing PHI to a billing employee. Billing employee recognizes she/he is not the intended recipient, deletes the e-mail, and alerts the nurse of the misdirected e-mail.
HITECH’s Changes to HIPAA • Exceptions to Affirmative Breach Notification Obligations– must document why you qualify • An inadvertent disclosure of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or OHCA in which the covered entity participates, as long as the recipient does not further use or disclose the PHI in violation of the Privacy Rule. • Example: A physician who has authority to use or disclose PHI at a hospital by virtue of participating in the OHCA is similarly situated to a nurse or billing employee at the hospital who also has authority to use or disclose PHI at that hospital.
HITECH’s Changes to HIPAA • Exceptions to Affirmative Breach Notification Obligations - must document why you qualify • The Covered Entity has a good faith belief that the person to whom the inappropriate disclosure was made would not reasonably been able to retain the information. • Example: A nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes her mistake and retrieves the papers. If the nurse can reasonably conclude that the patient could not have read or otherwise retained the information, no breach has occurred.
HITECH’s Changes to HIPAA • PRACTICAL TIPS: • Must develop a data breach notification policy and update other policies (training, complaints, etc.) • Must train physicians and staff to recognize violations of HIPAA and report them so that you can document investigation and determination of whether there is a breach that requires notification • Suggest making not reporting a possible breach a sanctionable violation subject to progressive discipline because if you should have known of the breach, that starts your clock for notification
HITECH’s Changes to HIPAA • Breaches Treated As Discovered • Breaches are treated as discovered by the covered entity as of the first day the breach is known to the covered entity OR by exercising reasonable diligence would have been known to the covered entity through any workforce member or agent (including a business associate) of the covered entity other than the individual committing the breach. HHS will look to the federal common law of agency. • Must implement reasonable systems for discovery of breaches (e.g., system activity review after high-profile patient has been discharged) • If business associate is an agent of covered entity, time to notify runs from BA’s discovery. If BA is an independent contractor, then CE must provide notification based on the time the BA notifies the CE of the breach. • PRACTICAL TIP: – put independent contractor clauses in all BAAs
HITECH’s Changes to HIPAA • When Individuals Must Be Notified • All notifications must be made without unreasonable delay. • PRACTICAL TIP: – Get notices out ASAP. Delays will cause media outlets, the FBI, and the Secret Service to question why you delayed. • In no case may the notification be made later than 60 days after the discovery of the breach, unless law enforcement provides a written statement specifying the delay time (oral request – no longer than 30 days – document the statement and identity of official). • CEs and BAs have the burden of proving that all notifications were made properly
HITECH’s Changes to HIPAA • What The Notification Must Contain • Regardless of the method of notification, the following information must be written in plain language (may need to be available in other languages, Braille, large print, or audio): • A brief description of what happened, including date(s) of breach and discovery; • A description of the types of unsecured PHI that were involved in the breach (such as name, SS #, DOB, address, account #, diagnosis or disability code); • The steps individuals should take to protect themselves from potential harm;
HITECH’s Changes to HIPAA • Contents of Notification (cont’d) • A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches; and • contact procedures for individuals to ask questions or get additional information. • Must include a toll-free number, an e-mail address, a Web site, or a postal address. • Avoid including sensitive information in the notification itself
HITECH’s Changes to HIPAA • Method of Notification • First class mail to last known address OR e-mail if individual has consented to electronic notification and consent hasn’t been withdrawn • minors, incompetents – send to personal representative • deceased (if CE knows of death and has the address of next of kin or personal representative)– send to next of kin or personal representative
HITECH’s Changes to HIPAA • Method of Notification, cont’d • Substitute notice – if CE doesn’t have contact info or if notices returned undeliverable: • Less than 10 people – e-mail, telephone • 10 or more people • conspicuous posting for 90 days on home page of website (can do hyperlink that is noticeable given its size, color and graphic treatment) or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected likely reside AND • toll-free phone number, active for 90 days, where an individual can learn whether his/her unsecured PHI may be included in the breach. Phone number must be in the conspicuous posting or notice.
HITECH’s Changes to HIPAA • Method of Notification, cont’d • If concerned that misuse is imminent, may make an additional telephone notification, but still must notify in writing.
HITECH’s Changes to HIPAA • Media Notice • In some instances, notice to media outlets is required. • If the unsecured PHI of more than 500 residents of a state or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during a breach, notice must be provided to prominent media outlets in that area. This is in addition to written notice to the individuals affected.
HITECH’s Changes to HIPAA • HHS Notification • Notice shall be provided to the Secretary by covered entities of unsecured PHI that has been involved in a breach. • If the breach involves more than 500 individuals (no matter which state), notice must be given immediately (concurrently with the notices sent to individuals). • Under the rule, if the breach involves less than 500 individuals, the covered entity may maintain a log and annually submit the log to the Secretary (within 60 days after Dec. 31). For 2009, submit information for breaches occurring on or after September 23. • As a practical matter, HHS’s website requires that breaches involving less than 500 people be reported one at a time, so it’s easier just to report as events happen; however, you might want to consider holding your breach reports until Feb. 28 – Mar. 1 every year so that they blend in with the others filed on those dates. Address: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html • Maintain a record of investigation for six years from the date investigation closes
HITECH’s Changes to HIPAA • Safe Harbors – Encryption and Destruction • The breach notification provisions only apply to “unsecured protected health information.” If your PHI is secured by encryption or destruction, then there is no need to report a breach to anyone. • Unsecured PHI is not secured by a technology that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals. • Thus, covered entities have a significant incentive to encrypt PHI or take other steps to ensure it is not “unsecured.”