320 likes | 476 Views
HIPAA Omnibus Final Rule: Who? What? When?. Nicholas Heesters, JD, CHP, CHPSE 302.478.3600 x136 nheesters@wvmi.org www.dehitrec.org. Legal Disclaimer. The information included in this presentation is for informational purposes only and is not a substitute for legal advice.
E N D
HIPAA Omnibus Final Rule:Who? What? When? Nicholas Heesters, JD, CHP, CHPSE302.478.3600 x136nheesters@wvmi.orgwww.dehitrec.org
Legal Disclaimer • The information included in this presentation is for informational purposes only and is not a substitute for legal advice. • Please consult your attorney if you have any particular questions regarding a legal issue.
Quotes • OCR Director Leon Rodriguez regarding the Omnibus Rules: • “This final Omnibus Rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” • “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
Who? • The Omnibus Rules apply to: • Covered Entities (providers, hospitals, health plans) • Business Associates • Subcontractors to Business Associates that handle PHI on behalf of Business Associates
Who: Business Associates • The HIPAA Rules define “business associate” to mean a person who performs functions or activities on behalf of, or certain services for, a CE that involve the use or disclosure of PHI. • Disclosure means the release, transfer, provision of, access to, or divulging in any manner outside the entity holding the information. • Access means the ability or means necessary to read, write, modify or communicate data/information or otherwise use any system resource.
Who: Business Associates • The Omnibus Rule expressly lists as BAs: • Health Information Organizations, e-Prescribing Gateways or other persons that provide data transmission services of PHI to a CE and that requires routine access to PHI • Persons who offer a personal health record (PHR) on behalf of a CE • Patient Safety Organizations (PSOs)
Who: Business Associates • The definition of “business associate” was modified to include a person who “creates, receives, maintains, or transmits” PHI on behalf of a CE. • An entity that maintains PHI on behalf of a CE is a BA even if the entity does not actually view the PHI. • Example: A data storage company that has access to PHI (whether digital or hard copy) qualifies as a BA, even if the entity does not view the information.
Who: Business Associates • A person becomes a BA by definition, not by the act of contracting with a CE or otherwise. • Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits PHI on behalf of a CE or BA and otherwise meets the definition of a BA.
Who: Subcontractors • A subcontractor is a person who acts on behalf of a BA, other than as a member of the workforce of the BA. • A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a BA, including with respect to PHR functions, is a HIPAA BA. • A subcontractor is also a person to whom a BA has delegated a function, activity, or service the BA has agreed to perform for a CE or BA.
Who: Subcontractors • The term “subcontractor” applies to an agent or other person who acts on behalf of the BA, even if the BA has failed to enter into a BAA with the person. • CEs must ensure that they obtain satisfactory assurances from their BAs, and BAs must do the same with regard to subcontractors, and so on, no matter how far “down the chain” the information flows.
Who: Business Associates • BAs must comply with the technical, administrative, and physical safeguard requirements, as well as the policies and procedures and documentation requirements, for ePHI under the HIPAA Security Rule. • Direct liability for BAs under HIPAA would attach regardless of whether a BA, contractor and/or subcontractors have entered into the required business associate agreements.
What: Breach Notification • An impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised. • Unless the PHI was unreadable or undecipherable, the risk assessment must justify not disclosing a breach. • Previously, CEs and BAs were required to perform a risk assessment to determine if there was a significant risk of harm to the individual as a result of the impermissible use or disclosure. This was known as the risk of harm standard.
What: Breach Notification • The risk of harm standard was removed and the risk assessment modified to focus more objectively on the risk that PHI has been compromised. • The risk of harm standard may have been interpreted as setting a higher threshold for breach notification than was intended. • Breach notification is necessary in all situations except those in which the CE or BA demonstrates that there is a low probability that the PHI has been compromised.
What: Breach Notification • CEs and BAs must assess the probability that the PHI has been compromised based on a risk assessment that considers at least the following factors: • the nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification; • the unauthorized person who used the PHI or to whom the disclosure was made; • whether the PHI was actually acquired or viewed; and • the extent to which the risk to the PHI has been mitigated
What: Breach Notification • Omnibus Rule breach example: • If a CE misdirects a fax containing PHI to the wrong physician practice, and upon receipt, the receiving physician calls the CE to say he has received the fax in error and has destroyed it, the CE may be able to demonstrate, after performing a risk assessment, that there is a low risk that the PHI has been compromised.
What: Restriction of PHI Disclosure • Old Rule: • Individuals could request a CE to restrict uses or disclosures of their PHI. • But, CEs were not required to agree to such restrictions. If the CE did agree, however, than they were required to abide by the restriction. • New Rule: • Individuals can request a restriction on disclosure of PHI to a health plan and the CE must agree if the restriction applies to PHI that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full (unless such disclosure is otherwise required by law).
What: Restriction of PHI Disclosure • CEs do not need to create separate medical records or otherwise segregate PHI subject to a restricted health care item or service. • CEs will, however, need to flag or make a notation in the record with respect to the PHI that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan. • CEs should already have in place minimum necessary policies and procedures, which require limiting the PHI disclosed to a health plan to the amount reasonably necessary to achieve the purpose of the disclosure.
What: Marketing • Authorization is required for communications about health-related products and services to individuals for which the CE receives financial remuneration by a third party. • Exceptions: • Refill reminders • Information concerning a currently prescribed drug • Face-to-face communications
What: Sale of PHI • An authorization is required if PHI is disclosed in exchange for remuneration. • Includes direct and indirect remuneration • Not limited to financial remuneration • If an authorization is obtained, it must state that disclosure will result in remuneration. • Exceptions • Corporate transactions (due diligence) • Treatment and Payment • Required by law • Public health
What: Fundraising • Additional PHI data may be used for fundraising purposes: • Department of service • Treating physician • Outcome • Health insurance status • Treatment cannot be conditioned on not opting-out and opt-out provisions must be clear and conspicuous.
What: GINA and Decedents • Genetic Information Non-discrimination Act • Genetic information is PHI • Genetic discrimination for health insurance and employment purposes is prohibited. • Applicable mainly to health plans • Decedents • A CE must comply with the requirements of the Privacy Rule with regard to the PHI of a deceased individual for a period of 50 years following the date of death.
What: Electronic Copy Requests • If individual requests an electronic copy of PHI, the CE must provide in the form requested, if readily producible, otherwise in readable format agreed to by CE and individual. • If individual will not agree to a format, CE must provide on paper. • CE may only charge for labor for copying and cost of media (CD, USB, etc.). • CE has 30 days (with one 30-day extension) to provide access.
What: Student Immunizations • CEs are permitted to disclose proof of immunization to a school where state or other law requires the school to have such information prior to admitting the student. • Written authorization is no longer required for this disclosure, but CEs will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis, or from the individual himself or herself, if the individual is an adult or emancipated minor. • The CE must document the agreement obtained.
What: Enforcement • OCR will investigate any compliant in which a preliminary review indicates a possible violation due to willful neglect. • Willful neglects means “conscious, intentional failure or reckless indifference.” • Previously, OCR was required to attempt to resolve possible HIPAA violations informally. • Now, informal attempts at resolution are discretionary (except in case of willful neglect which requires an investigation).
What: Enforcement • A CE or BA may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately. • A CE or BA may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million.
What: Enforcement • Largest HIPAA fine: $4.3M against Cignet Health in MD in February 2011 ($3M was for willful neglect). • HIPAA jail time: In April 2010 Dr. Huping Zhou of UCLA Health System was sentenced to 4 months in prison. • Smallest provider enforcement: In April 2012, a practice owned by 2 physicians paid $100,000 to settle HIPAA violations.
What: Notice of Privacy Practices • Notice that the use or disclosure of PHI for marketing purposes requires an authorization. • Notice that most uses or disclosures of an individual’s psychotherapy notes requires authorization (if applicable). • Notice that disclosures that constitute a sale of PHI requires an authorization. • Notice that an individual has a right to opt out of fundraising communications (if applicable).
What: Notice of Privacy Practices • Notice that an individual can restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or service. • Notice that an individual has a right to notice if their PHI has been breached. • These changes to the NPP are considered material changes which require that CEs promptly revise and make available their new and revised NPPs.
What: Notice of Privacy Practices • Providers must make the NPP available upon request on or after the effective date. • Providers are not required to print and hand out a revised NPP to all individuals seeking treatment. • Providers must post the revised NPP in a clear and prominent location and have copies of the NPP at the delivery site for individuals to request to take with them. • Providers are only required to give a copy of the NPP to, and obtain a good faith acknowledgment of receipt from, new patients.
When • The Omnibus Rules are effective as of March 26, 2013. • Effective Date: Date on which a rule or regulation becomes law. • All CEs and BAs need to be in full compliance by September 23, 2013. • Compliance Date: Date by which all affected entities must comply.
Suggested Next Steps • Update Notice of Privacy Practices • Review and identify all Business Associates • Update Business Associate Agreements • Update breach notification policies and procedures • Develop and train employees on new policies (patient requested PHI restrictions, patient requested electronic copies of PHI, breach notification, etc) • Review and update authorization and other forms as necessary
Questions? • Additional Resources: • Omnibus Press Release: http://www.hhs.gov/news/press/2013pres/01/20130117b.html • Omnibus Final Rule: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf • BAA Sample Language: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html • Breach Analysis Template: Pending • NPP Template: Pending • Regional Extension Center - Nick Heesters • Office: 302.478.3600, Ext. 136 • E-mail: nheesters@wvmi.org This project is made possible through a grant from the Office of the National Coordinator with Department of Health and Human Services support. Grant No. 90RC0044/01. Publication No. DEREC-LF-032013-A. App. 3/13.