1 / 57

The Next Decade of HIPAA: Omnibus Final Rule and Enforcement

The Next Decade of HIPAA: Omnibus Final Rule and Enforcement. IMGMA Spring Conference May 9, 2013 Vickie Brady Ahlers Baird Holm LLP 1700 Farnam Street, Suite 1500 Omaha, Nebraska 68102-2068 (402) 344-0500 www.bairdholm.com. DOCS/1178394.1. Observations from 2012 OCR Performance Audits.

selma
Download Presentation

The Next Decade of HIPAA: Omnibus Final Rule and Enforcement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Next Decade of HIPAA:Omnibus Final Rule and Enforcement IMGMA Spring Conference May 9, 2013 Vickie Brady Ahlers Baird Holm LLP 1700 Farnam Street, Suite 1500 Omaha, Nebraska 68102-2068 (402) 344-0500 www.bairdholm.com DOCS/1178394.1

  2. Observations from 2012 OCR Performance Audits • Performance not close to level should have been by now • As a whole, CE’s have much to do to comply • Smaller providers have the biggest challenges • Lack of definition and standards affects performance • Lack of resources affects performance • Lack of priority affects performance

  3. Why changes to HIPAA? “This final rule is needed to strengthen the privacy and security protections established under HIPAA for individuals’ health information maintained in electronic health records and other formats”

  4. Twitter Hacked: Data for 250,000 Users May Be Stolen February 1, 2013 New York Times NICOLE PERLROTH Twitter announced late Friday that it had been breached and that data for $250,000 Twitter users was vulnerable. The company said in a blog post that it detected the unusual access patterns earlier this week and found that user information – usernames, e-mail addresses and encrypted passwords – for 250,000 users may have been accessed in what it described as a “sophisticated attack.”

  5. Apple Suffers Major Breach February 19, 2013 World News NEAL UNGERLEIDER Apple suffered a major security breach last week when China-linked hackers infiltrated an unknown number of corporate computers. In a short statement given to Reuters' Jim Finkle and Joseph Menn, Apple representatives said that an unknown number of employee MACs had been breached but that “there was no evidence any data left Apple.” According to Reuters, Apple was attacked by the same hackers who attached Facebook, who were later linked to China. There are unconfirmed rumors that the FBI is helping Facebook investigate its own hack.

  6. If the “Innovators” can’t master security, then… How secure are electronic medical records and electronic billing records?

  7. OCR Resolution Agreements • Providence Health & Services (Jul 2008 – backup tapes and laptops stolen - $100K)) • CVS Pharmacy (Jan 2009 – improper disposal - $2.25M) • Rite-Aid (Jul 2010 – improper disposal - $1M) • Management Services Organization of Washington (Dec 2010 – improper disclosure - $35K) • Cignet (Feb 2011 – denying patient access; failure to cooperate - $4.3M) • Massachusetts General Hospital (Feb 2011 – records left on train - $1M) • UCLA Health Services (Jul 2011 – snooping - $865K) • Blue Cross Blue Shield of Tennessee (Mar 2012 - 57 unencrypted computer hard drives stolen – $1.5M) • Phoenix Cardiac Surgery, P.C. (Apr 2012 – posting appointments to internet - $100K) • Alaska Medicaid (Jun 2012 – unencrypted USB stolen - $1.7M) • Massachusetts Eye and Ear Infirmary (Sep 2012 – unencrypted laptop stolen – $100K) • Hospice of Northern Idaho (Dec 2012 – unencrypted laptop stolen – $50K))

  8. Omnibus Final Rule • Privacy Rule • Security Rule (minor) • Breach Notification Rule • Enforcement Rule Still Pending: Final Rule on Accounting for Disclosures Minimum Necessary Guidance

  9. What Does OCR Think of the Omnibus Rule? “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a heatlh care provider, or one of their business associates.” Leon Rodriguez, OCR Director

  10. Enforcement Rule Key Changes • Increased Penalties • Willful Neglect • Covered Entities liable for Acts of Business Associates acting as Agents

  11. Key Changes – Increased Penalties/Willful Neglect • Violations in 4 tiers with increasing penalties • Did not know • Reasonable cause • Willful neglect – corrected • Willful neglect – not corrected

  12. Key Changes – BAs as Agents • Removed prior affirmative defense of CE that breach was caused by the BA and CE had a BAA in place and did not know of a pattern of noncompliance • Now – express provision that CE is liable for the acts of the BA if the BA is an agent of the CE acting within the scope of agency

  13. Key Changes – BAs as Agents • When is a business associate your agent? • Standard: Federal common law of agency • "The authority of a covered entity to give interim instructions or directions is the type of control that distinguishes covered entities in agency relationships from those in non-agency relationships….Specifically, if the only avenue of control is for a covered entity to amend the terms of the agreement or sue for breach of contract, this generally indicates that a business associate is not acting as an agent."

  14. Privacy Rule Key Changes • Business Associates • New rules for fundraising • Stricter marketing standards • Sale of PHI prohibited • Enhanced individual rights • Notice of Privacy Practices changes • Miscellaneous

  15. Key Change – Business Associates • Expanded definition of BA to include: • Subcontractors and Subs of Subs • An entity that provides data transmission services of PHI to a CE and requires access on a routine basis • An entity that maintains PHI on behalf of a CE, even if the entity does not access the PHI • Patient safety organizations

  16. Key Change – Business Associates • Business Associates Directly Liable for – • Use and disclosure restrictions of BAA and Privacy Rule (including minimum necessary) • Entering into Subcontractor BAAs • Making books and records available to Secretary of HHS • Providing access to PHI in electronic form • Providing an accounting of disclosures (Final Rule Pending) • Providing breach notification to the covered entity • Complying with Security Rule

  17. Key Change – Fundraising • Expanded categories of PHI that can be used for fundraising • Demographic (name, address, DOB, age, gender) • Dates of health care provided • Department of Service (e.g., cardiology, peds) • Treating physician • Outcome information • Health insurance status

  18. Key Change – Fundraising • Must include intent to make fundraising communications in NPP • All fundraising communications must include clear and conspicuous optout method (without undue burden) • Toll free number, e-mail address, pre-paid post card • Cannot send communication if opted out

  19. Key Change – Marketing • Marketing: To make a communication about a product or service that encourages recipients to purchase or use the product or service • Authorization required for all subsidized marketing communications • Where CE or BA receives direct or indirect financial remuneration from a third party for making a communication to encourage individuals to purchase a third party’s product or service • Even if fits treatment purpose or health care operations • Need Authorization before looking through databases to decide to whom to market

  20. Key Change – Marketing • Exceptions from authorization requirement • Face to face communications by CE to an individual • Promotional gifts of nominal value • Authorization must state that remuneration will be received

  21. Key Change – Marketing • Exceptions to Definition of Marketing • Refill reminders or communications about drugs currently being prescribed for the individual, only if the remuneration received by the CE is related to its cost to make the communication • (Preamble) Communications promoting health in general with not product reference • (Preamble) Communications about govt-sponsored programs

  22. Key Change – Sale of PHI Prohibited • Cannot Sell PHI except for: • Public health purposes • Research (fee limited to cost-based) • Limited data set (broader public health purposes / research w/fee limits) • Treatment and payment purposes • Transfer, merger, consolidation • Disclosures required by law • Individual access/accounting • Payment to business associate • Cost-based fee to prepare and transmit PHI for permitted purpose

  23. Key Change – Enhanced Individual Rights • Mandatory Restrictions to Health Plan • Disclosures to Health Plan for payment or health care operations • Disclosure not otherwise required by law • PHI pertains solely to health care item or service for which individual has paid the CE in full

  24. Key Change – Enhanced Individual Rights • Mandatory Restrictions to Health Plan – Some Issues • PHI referenced in several parts of record • Medicare/Medicaid beneficiaries • Bundled services • HMO rules on billing above cost-sharing amounts • Pre-certification • Requests after care initiated

  25. Key Change – Enhanced Individual Rights • Electronic Access to PHI • All PHI maintained in electronic designated record set (not just EHR) (but, not required to scan paper records) • If readily producible in form and format requested by individual • Or, if not, in another “machine readalbe” electronic format agreed between CE and individual (MS Word, Excel, PDF, HTML)

  26. Key Change – Enhanced Individual Rights • Electronic Access to PHI • Provide a disc or USB drive to patients (cannot require them to buy USB drive if they prefer another form or format) • Provide access through a web-based portal • Send record via e-mail (caution!) • Can send unsecured if requested by individual and individual has been advised of the risks • DO NOT take USB drive from patient and put it in your system!

  27. Key Change – Enhanced Individual Rights • Electronic Access to PHI • Fees • labor costs of skilled technical staff to create and copy electronic file • Cost of USB if individual requests that format • Timeliness • Shortened to 30 days with one 30 day extension • Meaningful use timelines much shorter

  28. Key Change – Notices of Privacy Practices • Mandatory revisions: • Fundraising intent • Disclosure of psychotherapy notes requires authorization • Marketing requires authorization • Sale of PHI requires authorization • Mandatory restriction rights • Expanded electronic access rights • Breach Notification obligations (do not need to describe risk assessment factors) • Uses/Disclosures not described in NPP require authorization • Protection for genetic information (if applicable)

  29. Key Change – Notices of Privacy Practices • Suggested revisions: • Include disclosure of immunization records to schools • Address deceased individuals protected for 50 years after death • Disclosure of PHI after death to family and friends involved in care or payment for care before death • Individual rights – respond on timely basis in accordance with CE policies

  30. Key Change – Notices of Privacy Practices • Distribution Requirements • NOT required to mail/hand out to existing or former patients • Only required to give to new patients after effective date (and obtain acknowledgement) • Must prominently post in locations where it is reasonable for patients to see it and on provider’s website • Available upon request at service delivery sites to anyone who requests it

  31. Breach Notification Rule Breach: The access, acquisition, use or disclose of PHI not permitted under the Privacy Rule thatcompromises the security or privacy of the PHI.

  32. Key Change – Compromises PHI • INTERIM FINAL: • Compromises PHI only if significant risk of financial, reputational, or other harm • FINAL: • Presumed to be a breach unless CE demonstrates “low probability” that PHI has been compromised based on 4-part risk assessment • OCR rejected bright line rule • “Is so inconsequential that it does not warrant notification” • Does risk of harm still matter?

  33. Key Change – Compromises PHI • Risk Assessment Factors • Nature and extent of PHI, including types of identifiers and likelihood of re-identification • Who is the unauthorized recipient? • Was the PHI actually acquired or viewed? • Extent to which the potential risk to the PHI has been mitigated

  34. Key Change – Compromises PHI • Nature and extent of PHI, including types of identifiers and likelihood of re-identification • Analyze probability that PHI could be “used by the unauthorized recipient in a manner adverse to the individual or otherwise used to further the unauthorized recipient’s own interests” • SSN, credit card numbers “increases risk of identity theft” or financial harm to the individual • If few or no direct identifiers, consider risk data could be re-identified

  35. Key Change – Compromises PHI 2. Who is the unauthorized recipient? • A CE, BA, workforce directly regulated by HIPAA or another law? May be “lower probability that PHI has been compromised” • Why? Because “the recipient of the PHI is obligated to protect the privacy and security of the information in a similar manner as the disclosing entity” • But – also consider if a recipient is in a position to re-identify the information (e.g., employer) • Rule covers use and disclosure – can be within CE or BA (but may be factor, or meet exceptions)

  36. Key Change – Compromises PHI • Was the PHI actually acquired or viewed? • Technical/forensic investigation critical • Access logs, audit trails at premium to demonstrate “low probability” • Stolen laptop example in preamble • Wrong address example in preamble • Can’t stop with analysis if not acquired or viewed – must still address all 4 factors

  37. Key Change – Compromises PHI • Extent to which the potential risk to the PHI has been mitigated • Risk to PHI v. Risk of Harm (What’s the difference?) • Get satisfactory assurances • Consider extent of mitigation in protecting against misuses (harm) and redisclosure • Influenced by #2 – who was the recipient?

  38. Key Change – Compromises the PHI “[a]nd we expect these risk assessments to be thorough” Preamble to Final Rule at 78 Fed. Reg. 5566, 5643

  39. Lots to Do before September 23rd • Revise policies and procedures and then update NPP (in that order) • Inventory/assess vendors and update BAAs • Update Incident Response Plan based on new breach standard • Education and awareness • Cyber insurance

  40. OCR Enforcement Highlights – Private Practices • Private Practice Revises Process to Provide Access to RecordsCovered Entity: Private PracticesIssue: Access • A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. In addition, the covered entity forwarded the complainant a complete copy of the medical record.

  41. OCR Enforcement Highlights – Private Practices • Private Practice Revises Process to Provide Access to Records Regardless of Payment SourceCovered Entity: Private PracticesIssue: Access • At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source.

  42. OCR Enforcement Highlights – Private Practices • Physician Revises Faxing Procedures to Safeguard PHICovered Entity: Health Care ProviderIssue: Safeguards • A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures.

  43. OCR Enforcement Highlights – Private Practices • Private Practice Revises Policies and Procedures Addressing Activities Preparatory to ResearchCovered Entity: Private PracticeIssue: Impermissible Disclosure-Research • A private practice physician who was the principal investigator of a clinical research study disclosed a list of patients and diagnostic codes to a contract research organization to telephone patients for recruitment purposes. The disclosure was not consistent with documents approved by the Institutional Review Board (IRB). The private practice maintained that the disclosure to the contract research organization was permissible as a review preparatory to research. Activities considered “preparatory to research” include: preparing a research protocol; developing a research hypothesis; and identifying prospective research participants. Contacting individuals to participate in a research study is a use or disclosure of protected health information (PHI) for recruitment, as it is part of the research and is not an activity preparatory to research. To remedy this situation, the private practice revised its policies and procedures regarding the disclosure of PHI and trained all physicians and staff members on the new policies and procedures. Under the revised policies and procedures, the practice may use and disclose PHI for research purposes, including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board.

  44. OCR Enforcement Highlights – Private Practices • Radiologist Revises Process for Workers Compensation DisclosuresCovered Entity: Health Care ProviderIssue: Impermissible Uses and Disclosures • A radiology practice that interpreted a hospital patient’s imaging tests submitted a worker’s compensation claim to the patient’s employer. The claim included the patient’s test results. However, the patient was not covered by worker’s compensation and had not identified worker’s compensation as responsible for payment. OCR’s investigation revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in submitting the claim. Among other corrective actions to resolve the specific issues in the case, the practice apologized to the patient and sanctioned the employee responsible for the incident; trained all billing and coding staff on appropriate insurance claims submission; and revised its policies and procedures to require a specific request from worker’s compensation carriers before submitting test results to them.

  45. OCR Enforcement Highlights – Private Practices • Clinic Sanctions Supervisor for Accessing Employee Medical RecordCovered Entity: Outpatient FacilityIssue: Impermissible Use and Disclosure • A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not. Among other corrective actions to resolve the specific issues in the case, a letter of reprimand was placed in the supervisor's personnel file and the supervisor received additional training about the Privacy Rule. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate.

  46. OCR Enforcement Highlights – Private Practices Private Practice Implements Safeguards for Waiting Rooms A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals.  Also, computer screens displaying patient information were easily visible to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to the communication of PHI.  The practice trained all staff on the newly developed policies and procedures.  In addition, OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and the practice installed computer monitor privacy screens to prevent impermissible disclosures.  

  47. Risk Areas • Mobile Devices • Mobile Devices • Mobile Devices • (and other Mobile Devices)

  48. Mobile Device Data Breaches • In an analysis of data from January 1, 2009 through May 31, 2012 collected from the Privacy Rights Clearinghouse and the Open Security Foundation, report authors conclude that mislaid, stolen or discarded portable devices caused records with the personally identifiable information of 80.7 million individuals to be breached. • As of November 1, 2012, approximately 40% of the breaches affecting 500 or more individuals reported to the Department of Health and Human Services involved mobile devices. Sources: http://www.fiercemobilegovernment.com/story/portable-devices-greatest-cause-pii-government-data-breaches/2012-09-11 www.hhs.gov/OCR/privacy/HIPAA

  49. 2012 Data Breaches • Blount Memorial Hospital Maryville, Tennessee • Password-protected laptop stolen from employee’s home • Contained patient names, dates of birth, responsible party names, patient addresses, physician names, and billing information for 22,000 patients • Additional 5,000 patients had similar information exposed as well as SSNs and other non-medical information

  50. 2012 Data Breaches (cont.) • Oregon Health & Science University Hospital Portland, Oregon • Burglary of employee home resulted in theft of thumb drive used to back up data from OHSU computer systems • Pediatric patient information such as name, date of birth, phone number, address, medical record number, patient medical condition code, and family medical history exposed • Additional 702 patients had more sensitive information exposed • Thumb drive also contained database of staff information including names, SSNs, addresses, and employment-related vaccination information of 195 employees

More Related