View
217
Download
0
Category
Tags:
Preview:
Citation preview
Overview of the Omnibus Final HIPAA Rule
Kohler HealthCare Consulting, Inc.Deanna Turner
410.461.5116
2
Goals for Session
Define the statutory timeline and reasons for changes to the final HIPAA (Health Insurance Portability and Accountability Act) RuleProvide an overview of the changes in the final RuleHighlight responsibilities and requirements of expanded pool of Business Associates (BA)Summarize new and expanded individual rightsOutline changes to “Breach Notification”Provide advice on “Next steps”
Overview of the Omnibus Final HIPAA Rule
Background: Statutory Timeline
January 17, 2013: Omnibus Rule announced by the Office of Civil Rights of the U.S. Department of Health and Human Services (HHS)– Largest expansion of the HIPAA privacy, security,
enforcement and breach notification efforts in at least a decade.
March 26, 2013: Effective date of Omnibus Rule (60 days after publication in the Federal Register). September 23, 2013: Date by which covered entities and business associates must comply with the requirements (180 days after the effective date).Now is the time to determine whether these changes will affect your business relationships!
Overview of the Omnibus Final HIPAA Rule 3
4
Background: Why the Changes?
Updates and clarifies obligations that were enacted in February, 2009 by HITECH ActChanges are designed to advance health information technology and incentivize use of electronic health data and informationConsumer-based focus with orientation toward active enforcementMost sweeping changes since the law was first implemented Goal: Improve patient privacy and security protections, and increase penalties for non-compliance
Overview of the Omnibus Final HIPAA Rule
5
Background:What’s Changed?
Expansion of responsibilities, extension of obligations, and increased liability of business associates and covered entities;Tightening of limits on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes;Strengthening of individuals' rights and control over their PHI (access, disclosures);Establishment of new required authorizations for individuals’ PHI information (sale, research, decedent data); Modifications to Notice of Privacy Practices;Lowered “threshold of harm” related to breaches and increased obligations regarding breach notifications; andEnhancement of provisions related to enforcement and penalties for non-compliance
Overview of the Omnibus Final HIPAA Rule
6
Business Associates and Enhanced Requirements
Business Associates (BA) are partners and vendors that perform work on behalf of a covered entity HHS has added the word “maintains” to the previous definition to clarify that entities that store or maintain PHI are business associatesIncludes the HITECH Act-mandated specific inclusion of:– Entities that provide data transmission services
to covered entity; and– a person that offers a personal health record to
one or more individuals on behalf of a covered entity.
Overview of the Omnibus Final HIPAA Rule
7
Business Associates and Enhanced Requirements
Entities are Business Associates if they create, receive, handle, maintain, transmit or store PHI, even if they do not actually view the PHI
Overview of the Omnibus Final HIPAA Rule
INCLUDES
Health PlansThird Party AdministratorsE-Prescribing GatewaysBilling CompaniesTechnology VendorsPersonal Health Record Vendors
DOES NOT INCLUDE
Companies that serve as conduits for PHI
Internet service providers Courier services
Overview of the Omnibus Final HIPAA Rule 8
Business Associates and Enhanced Requirements
A subcontractor is defined as a “person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate”.Previously: It was unclear that privacy and security rules added by HITECH extended to subcontractorsNow: Subcontractors are specifically included in the modified definition of “business associate”RESULT: Government has the authority to penalize BOTH business associates and subcontractors!
9
Direct Liability of Covered Entities and Business Associates
Covered entities and business associates are directly liable for violations including:– Compliance with the HIPAA Security Rule’s
administrative, physical and technical safeguards – Impermissible uses and disclosures of PHI and
certain other requirements under the Privacy Rule– Notification of a breach of unsecured PHI– Compliance with documentation requirements
including executing business associate agreements
– Failing to disclose PHI when required to determine business associate’s compliance.
Overview of the Omnibus Final HIPAA Rule
10
Direct Liability of Covered Entities and Business Associates
Both covered entities and business associates are liable for the violations due to the acts or omissions of their agents (subcontractors).- Not all business associates are automatically agents of
covered entities and not all subcontractors are agents of covered entities.
– Liability depends on whether there is an agency relationship and whether the act or omission was within the scope of the agency.
Covered entities and business associates are required to obtain “satisfactory assurances” through execution of agreements with their business associates and subcontractor business associates.
Overview of the Omnibus Final HIPAA Rule
11
Business Associates Obligations
The Omnibus Rule clarified that business associates must:– Comply with the terms of a business associate
agreement related to the use and disclosure of PHI;– Provide PHI to the Secretary upon demand;– Provide an electronic copy of PHI available to an
individual (or covered entity) if an individual requests;– Make reasonable efforts to limit PHI to the minimum
necessary to accomplish the intended purpose of the use, disclosure, or request; and
– Enter into business associate agreements with subcontractors that create or receive PHI on their behalf.
Overview of the Omnibus Final HIPAA Rule
Overview of the Omnibus Final HIPAA Rule 12
Expanded Individual Rights: Use of PHI
Tightened limitations on use and disclosure of PHI for marketing purposesRequires covered entities to obtain authorization from individuals if covered entity receives payment for producing or distributing materialsCommunications allowed without authorization but recipient must “opt out”:– Case Management– Care Coordination– Therapies– Alternative Treatments or Providers– Prescription reminders (as long as remuneration is
limited to reasonable costs)
Overview of the Omnibus Final HIPAA Rule 13
Expanded Individual Rights: Sale of PHI
Sale of PHI is prohibited without individual authorization unless:– Used by a public health agency for treatment
and payment; OR– Other allowed disclosures such as normal
disclosures to business associatesAuthorization must be worded clearly so that individuals can make informed decisionsAuthorization must include the fact that covered entity will receive payment for disclosures
Overview of the Omnibus Final HIPAA Rule 14
Expanded Individual Rights: Patient Requests for PHI
Individuals can request that a covered entity provide electronic copies of their health informationCovered entities that maintain electronic records must provide PHI in the format requested by the individual if readily producibleIf not readily producible, the information must be provided in a readable electronic format agreed to by both the covered entity and the individualCovered entities may not charge more than the cost of labor and materials required to provide the electronic records
Overview of the Omnibus Final HIPAA Rule 15
Expanded Individual Rights: Patient Requests for Restrictions on Disclosures
Individuals can request that a covered entity not disclose to the individual’s health plan information concerning treatment for which the provider has been paid out-of-pocket in fullPrior: Covered entities were not required to agree to such a requestNow: Covered entities will need to employ some method to flag the individual’s record with respect to PHI that has been restricted to ensure that such information is not inadvertently sent or made accessible to the health plan
16
Expanded Individual Rights:Use of PHI for Research
Created simplified and streamlined process of gaining individual authorizations for use of PHIPrior: Researchers were obligated to ask for permission for each distinct use of PHI– Added unnecessary complexity and confusion to
process of obtaining consentNow: Covered entities can ask individuals to consent to share PHI for a particular research study and, by extension use the consent for related research purposes – Example: Obtain consent to share PHI and also use same
consent for creation of a database to store and allow for querying of information
Overview of the Omnibus Final HIPAA Rule
Overview of the Omnibus Final HIPAA Rule 17
Expanded Individual Rights:Use of Genetic Information
Enhanced privacy protections for genetic information– Required by Genetic Information
Nondiscrimination ActClarifies that genetic information is considered health information for purposes of HIPAAProhibits health plans from using or disclosing genetic information that can be used for underwriting purposes– Exception: Issuers of long-term care policies
Insurers must communicate this to consumers in Notice of Privacy Practices
Overview of the Omnibus Final HIPAA Rule 18
Expanded Individual Rights:Privacy Practices
Covered entities must modify and redistribute Notices of Privacy Practices (NPPs) to include announcements regarding new privacy practicesRevised NPPS must include:– New authorization requirements around the sale
and marketing of PHI– Breach notification responsibilities of the covered
entity– Right to “opt out” of fundraising and marketing
communications– Right of patients to be able to request disclosure
restrictions on out-of-pocket payments to providers
19
Data Breaches by the Numbers
94% of healthcare organizations suffered a data breach in past two years – Of those, 45% suffered more than 5 such
incidentsAverage economic impact of data breach in 2011 and 2012 for healthcare organizations was $2.4 million– $400,000 greater than 2010– Aggregate annual cost: $7 billion
Average number of lost or stolen records per breach: 2,769And these numbers are going to increase with the new changes……
Overview of the Omnibus Final HIPAA Rule
“Third Annual Benchmark Study on Patient Privacy and Data Security”, ID Experts Corp, 2012
20
Changes to the Breach Notification Framework
The HITECH Act of 2009 established a statutory requirement for breach notification Notification was required when more than 500 individuals were affected.Breach = “the acquisition, access, use, or disclosure of PHI in a manner not permitted which compromises the security or privacy of the protected health information.” Compromises = “poses a significant risk of financial, reputations, or other harm to the individual
Overview of the Omnibus Final HIPAA Rule
21
Changes to the Breach Notification Framework
Burden of proof regarding breaches has now shifted “Threshold of harm” has been loweredIt is now presumed that any acquisition, access, use or disclosure of PHI not permitted under the HIPAA Privacy Rule is a breach, regardless of individuals affected.Exception: If a covered entity or business associate can demonstrate that “there is a low probability that the [PHI] has been compromised based on a risk assessment”
Overview of the Omnibus Final HIPAA Rule
Changes to the Breach Notification Framework
Business associates that experience a breach must provide notice of unsecured PHI to its covered entity “without reasonable delay and in no case later than 60 days following the discovery of the breach”Incidents that may not have been considered serious risks in the past will now need to be reported to the affected individuals and the Office of Civil Rights (OCR)New threshold is stricter but intended to be more objective and easier to interpret and apply
22Overview of the Omnibus Final HIPAA Rule
23
Breach Notification - Risk Assessment
Risk assessment can be used to demonstrate that there is a low probability that PHI has been compromisedRisk Assessment must include consideration of the following factors:– The nature and extent of the PHI involved, including the
types of identifiers and the likelihood of re-identification;
– The unauthorized person who used the PHI or to whom the disclosure was made;
– Whether the PHI was actually acquired or viewed; and– The extent to which the risk to the PHI has been
mitigated.
Overview of the Omnibus Final HIPAA Rule
24
Breach Notification
Prepare your organization to minimize your risk of breach!!
HHS stated in the Omnibus Rule that it will issue future guidance on risk assessments associated with breaches, however no time line was given.
Organizations should begin by focusing on identifying gaps in compliance that led to past incidents and closing those gaps.
Overview of the Omnibus Final HIPAA Rule
Overview of the Omnibus Final HIPAA Rule 25
Enhanced Enforcement
Final rule solidifies and enhances provisions related to:– Compliance reviews and investigations– Imposition of civil monetary penalties– Procedures for hearings
Maximum penalty for noncompliance due to negligence has also been increased to $1.5 million per violationRequires HHS Secretary to conduct a compliance review whenever a preliminary review of a complaint indicates a possible violation of an organization (covered entity or business associate) due to willful neglectHHS has leeway in deciding amount of fine and can base decision contributing factors (e.g. past complaints, nature of harm, etc.)
Overview of the Omnibus Final HIPAA Rule 26
Enhanced Enforcement: Penalties
Criteria for Determining Penalty
Minimum Penalty (Per Violation Cap)
Maximum Penalty (Per Violation Cap)
Violator did not know and could not have been expected to know
$100/$25,000
$50,000/$1,500,000.
There was “reasonable cause” and no “willful neglect”
$1,000/$100,000
$50,000/$1,500,000.
There was “willful neglect” and violation was corrected
$10,000/$250,000
$50,000/$1,500,000.
There was “willful neglect” and violation was not corrected
$50,000/$1,500,000.
No specified maximum
Next Steps for Covered Entities and Business Associates
Gap Analysis – Conduct a gap analysis between current policies and
procedures and the new requirements• determine what changes are needed, • implement those changes as soon as reasonably
possible. – Identify and document business associates under the
new definition, – Business associates should identify and document their
subcontractors• confirm business associate agreement obligations
and exposure to liability for noncompliance
27Overview of the Omnibus Final HIPAA Rule
28
Next Steps for Covered Entities and Business Associates
Business Associates – Create a separate set of policies and procedures to
comply with these new rules. – Business associates are not required to have their own
privacy policies and procedures or train their workforce on privacy rules, but it is strongly recommended.
– Business associates that discover a breach must report it to the covered entity, and a subcontractor must report a breach to a business associate.
– Ultimately, the covered entity has the obligation to notify affected individuals of a breach, even if the breach occurred under the business associate, and even if the responsibility to notify has been delegated to the business associate.
Overview of the Omnibus Final HIPAA Rule
29
Next Steps for Covered Entities and Business Associates
Breach Notification – Organizations should review and revise their breach
notification policies, procedures and breach response plans.
– Covered entities are required to notify all affected individuals as soon as possible. • 60 days is the outer limit• OCR treats a breach as “discovered” when the entity
becomes aware of the breach, or• Should have gained knowledge of the breach through
due diligence. – The “discovery” standard applies to employees and
agents of the covered entities, including business associates.
Overview of the Omnibus Final HIPAA Rule
30
Next Steps for Covered Entities and Business Associates
Workforce Training – Provide additional training and awareness
communications to personnel about the new requirements.
– Plan a training session with all personnel sometime in the near future, preferably before or near the March 26, 2013 effective date of the Omnibus Rule.
– Establish a way to monitor compliance by Business Associates and risks on an ongoing basis, enabling quick identification and mitigation of problems.
Overview of the Omnibus Final HIPAA Rule
31
Next Steps for Covered Entities and Business Associates
Review and Amend Business Associate Agreements – update policies and procedures, – review and, if needed, amend existing business
associate agreements to comply with the new requirements.
OCR recently posted sample business associate agreement provisions on its website:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
– The language may also be adapted for a contract between a business associate and its subcontractor.
– The template provisions are a helpful starting point, but additional revisions are advisable, such as detail regarding mitigation in the event of a breach.
Overview of the Omnibus Final HIPAA Rule
32
Next Steps for Covered Entities and Business Associates
Revise and distribute new notices of privacy practices to individuals informing recipients of the following:– the new prohibition against health plans using or disclosing
genetic information for underwriting purposes; – the prohibition on the sale of protected health information
without express written authorization of the individual, including other uses and disclosures such as marketing and disclosure of psychotherapy notes;
– the duty of a covered entity to notify affected individuals of a breach;
– the individual’s right to opt out of receiving fundraising communications; and
– the individual’s right to restrict disclosures of protected health information to a health plan where the individual paid out of pocket in full.
Overview of the Omnibus Final HIPAA Rule
Questions?????
Overview of the Omnibus Final HIPAA Rule
Recommended