Embed Size (px)
Citation preview
HITECH Act and HIPAA: Important Compliance Update
Susan E. Ziel
Gerald “Jud” DeLoss
2
Disclaimer
This content is provided for general information purposes and is not intended as legal advice. Competent legal counsel should be sought before taking any action in reliance on this content.
3
Legislative History Health Information Portability and Accountability
Act of 1996 Privacy Regulations (2003) Security Regulations (2005)
American Recovery and Reinvestment Act of 2009 (“ARRA”) (2/17/09) Title XIII: Health Information Technology for Economic
and Clinical Health Act (“HITECH”)
4
HHS Regulations Under HITECH Act To Date
4/27/09 HHS Guidance: Techniques and Methods to Create Secure PHI
8/24/09 HHS IFR: Breach Notification Involving Unsecured PHI
8/30/09 HHS Moves HIPAA Security Responsibilities from CMS to OCR
10/30/09 HHS IFR: Amend HIPAA Civil Money Penalties and Enforcement
5
HITECH Act Amendmentsto HIPAA
HIPAA and Business Associates Amended Civil and Criminal Penalties Breaches Involving Unsecured PHI “Minimum Necessary” Disclosures Patient Requests to Restrict Disclosures Accounting of Disclosures Marketing and Fundraising Patient Access to PHI in Electronic Format Prohibition on Sale of PHI HHS “ Improved Enforcement”
6
HIPAA and Business Associates (“BA”)
Current Law HIPAA requirements only apply to covered
entities BA not directly subject to HIPAA Covered Entities (“CE”) required to enter into
BA agreements with BA Indirect way to impose requirements on BA
7
HIPAA and Business Associates (“BA”s)
New Law Effective 2/17/10 (Section 13401)
HIPAA Security Provisions Apply to BA BA required to comply with HIPAA
Security Rule as if they were CE 45 CFR § 164.308 (Administrative Safeguards) 45 CFR § 164.310 (Physical Safeguards) 45 CFR § 164.312 (Technical Safeguards) 45 CFR § 164.316 (Policies and Procedures)
8
HIPAA and Business Associates (BA)
New Law (Section 13404) Certain HIPAA Privacy Provisions apply to
BA BA required to use or disclose PHI only if
such use or disclosure is in compliance with privacy provisions of their BA agreements
9
HIPAA and Business Associates (BA)
Other ARRA privacy/security requirements that apply to CE “shall be incorporated” into BA agreements
If BA aware of CE’s violation of HIPAA, BA obligated to either terminate BA agreement with CE or report CE to HHS
BA subject to HIPAA enforcement and penalties as if a CE
10
HIPAA and Business Associates (BA)
Section 13408. CE must also enter into BAA with third parties that provide PHI transmission/exchange Health Information Exchange Organizations Regional Health Information Organizations E-Prescribing Gateways Other
11
Amended Civil and Criminal Penalties
Current Law Only CE directly liable for criminal violations
New Law Effective 2/17/10 (Section 13409) Clarifies that CE, as well as employees, BA, and
other actors that obtain/disclose PHI maintained by a CE without authorization will be subject to potential criminal penalties
12
Civil and Criminal Penalties: “Improved Enforcement”
Current Law Civil Money Penalties (“CMP”s) limited to $100 per
HIPAA violation, with a maximum of $25,000 for all violations of identical nature in single year
New Law Effective 2/17/09 (Section 13410(d)) CMPs are now tiered and increase for different levels of
HIPAA violations Fines range from $100 to a maximum of $1.5 million cap
for all violations per year OCR maintains discretion to use corrective action without
penalty where person did not know of violation
13
HHS IFR: Civil Penalties New Definitions
Reasonable Cause Reasonable Diligence Willful Neglect
New CMP Amounts Depend On Whether Violations Pre or Post 2/18/09 No Knowledge Reasonable Cause Willful Neglect
14
Security Breach Notification
Current Law CE are only required under HIPAA to account for wrongful
disclosure However, Security Rule imposes a duty to mitigate Remember: IN Security Breach Laws
New Law/Regulations Effective 9/17/09, Now Delayed Until 2/22/10 (Section 13402) CE required to notify individuals whose “unsecured” PHI has
been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of a breach
BA required to notify CE of breach
15
Security Breach Notification “Breach”
Unauthorized acquisition, access, use, or disclosure of PHI which compromises the security/privacy of such information, except when an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information
Exceptions Unintentional acquisition, access, or use of PHI by employee or
individual acting under authority of CE or BA in good faith & within scope of employment or other relationship; or
Inadvertent disclosure involving employees or individuals acting under authority of CE or BA; or
Inadvertent disclosure to third party not reasonably able to retain information
Risk Assessment Reveals Evidence of “Low Risk” Harm
16
Security Breach Notification
Unsecured PHI HHS Guidance (4/17/09) “Unsecured” PHI is not secured through the
use of a technology or methodology specified by HHS that makes the PHI unusable, unreadable, or indecipherable to unauthorized individuals
17
Security Breach Notification HHS Guidance re: Technologies & Methodologies
to render PHI unusable, unreadable, indecipherable; not required but if used, “safe harbor” with no reporting not required Two Mechanisms:
Electronic PHI has been encrypted as specified in the HIPAA Security Rule and NIST Guidelines; or
Media on which PHI is stored or records has been destroyed: Paper, film, or other hard copy media have been shredded or
destroyed such that PHI cannot be read or otherwise reconstructed
Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that PHI cannot be retrieved
18
Security Breach Notification
Notification Requirements Notification required to be made “without
unreasonable delay” but no later than 60 calendar days after discovery of breach
Notice must be: In writing to individual by mail (or e-mail) Sent to last known address of individual If insufficient/out-of-date info; CE must give notice in
substitute form (e.g. web site/media)
19
Security Breach Notification
Notification Requirements (continued) If breach involves PHI of more than 500
individuals in a state, CE must give notice of breach to prominent media outlets
CE must also notify HHS of any breach If more than 500 individuals, HHS must be notified
immediately If fewer than 500 individuals affected, the CE must
notify HHS annually (March 1)
20
Security Breach Notification All Notices must include, if possible:
A brief description of what happened, including dates of the breach & discovery
Description of the types of unsecured PHI that were involved in the breach
Steps individuals should take to protect themselves from potential harm resulting from the breach
Brief description of what the CE involved is doing to investigate the breach, to mitigate losses, and protect against further breaches
Contact procedures, including toll-free telephone number, e-mail address, web site, or postal address
21
Patient Requests to Restrict Disclosures
Current Law Individual has right to request that a CE
restrict certain uses/disclosure of PHI pertaining to that individual CE not obligated to comply with request
New Law (Section 13405(a)) CE required to agree to requested restriction
if disclosure is to a health plan for payment purposes AND PHI relates to item/service that CE has been paid for out of pocket in full
22
“Minimum Necessary” Disclosures Current Law
CE required (except for treatment) to provide only the “minimum necessary” amount of PHI to accomplish purpose of use/disclosure
New Law (Section 13405(b)) Until further guidance is issued, a CE is
required, to the “extent practicable,” to limit disclosures of PHI to the “limited data set,” or if more information is needed, the “minimum necessary” to accomplish intended purposes of such use, disclosure, or request
23
“Minimum Necessary” Disclosures
Limited Data Set: PHI that excludes direct identifiers, such as
names, addresses, and SS#s
Does not apply to treatment disclosures HHS required to issue guidance on minimum
necessary standard within 18 months of ARRA (8/2010)
24
Accounting of Disclosures Current Law
Individual has right to receive accounting of disclosures of PHI for certain purposes made by a covered entity in the preceding 6 years
Excludes treatment, payment, HC operations
New Law (Section 13405(c)) CE that use electronic health records (“EHR”) must
account for ALL PHI disclosures, including all TPO disclosures, that were made through the use of an EHR
25
Accounting of Disclosures Grace period for compliance:
For CE having EHR as of 1/1/09, new rules apply to disclosures of PHI on or after 1/1/2014
For CE that acquire an EHR after 1/1/09, new rules apply to disclosures made on or after the later of 1/1/2011 or the date that the CE acquired the EHR
HHS can postpone compliance dates
26
Accounting of Disclosures Under new law, required reporting period
reduced from 6 years to 3 years HHS to issue regulations re: what information
must be maintained about each PHI disclosure In response to request from an individual, a CE
shall provide account of disclosures of PHI: Made by the CE and all applicable BA; OR Made only by the CE and provide a list and contact
information for all relevant BA
27
Marketing Current Law
CE must obtain patient’s authorization for any PHI use or disclosure for marketing purposes. Certain exceptions apply.
New Law (Section 13406(a)) with New Regulations Due 2/17/10 Confirms that any communication that encourages
recipient to use a product or service is not considered a health care operation (and is therefore marketing) unless it is made:
(continued)
28
Marketing Marketing Exceptions Continued:
To describe a health-related product/service provided by or included in plan of benefits of the CE making communication;
For treatment of that individual; OR For case management, care coordination, or to recommend
alternative treatments, therapies, providers, settings of care
Above 3 exceptions will not be considered HC operations unless: Payment is for a communication re: a drug currently
prescribed for the recipient of the communication and payment is reasonable in amount;
The communication is made by the CE & the CE obtains a valid HIPAA authorization; OR
The communication is made by a BA of a CE, and such communication is consistent with the BA Agreement
29
Fundraising Fundraising (Section 13406(b))
All written fundraising communications shall provide the recipient with an opportunity to opt out of any future fundraising communications
If person opts out, such election is to be treated as revocation of authorization under HIPAA
Applies to communications occurring on or after February 17, 2010
30
Patient Access to PHI in Electronic Format
Current Law Patients have a right to obtain copy of their
PHI maintained in designated record set
New Law (Section 13405(e)) Patients have a right to obtain copy of their
PHI in electronic format if the CE uses an EMR so long as request is clear & specific
Fee limitations apply
31
Prohibition on Sale of PHI New Law (Section 13405(d))
CE and BA are prohibited from receiving remuneration in exchange for PHI unless the patient has signed an authorization specifying approval
Several exceptions, including public health activities, due diligence in conjunction with sale/merger of CE, etc.
Subject to additional regulations
32
HHS “Improved Enforcement”
New Law (Section 13411) Secretary of HHS required to perform periodic
audits to ensure that CE and BA are in compliance with HIPAA and new ARRA requirements
HHS required to submit number of audits performed and summary of findings to Congress on annual basis by 2/17/10
33
HHS “Improved Enforcement” New Law (Section 13410(a))
HHS must investigate any complaint that may have resulted from “willful neglect” effective 2/17/11
If violation found, HHS required to impose CMPs -New Law (Section 13410(c))
CMPs/monetary settlements collected shall be transferred to the OCR to be used for HIPAA enforcement purposes
HHS shall establish regulations (by 2/17/12) that specify methodology under which an individual who has been harmed by HIPAA violation may receive a percentage of any monetary amount collected
34
HHS “Improved Enforcement” New Law Effective 2/17/09 (Section 13410(e))
State Attorneys General may bring civil actions to enjoin privacy/security actions or obtain damages on behalf of state residents
Damages limited to $100 per violation with cap of $25,000 for identical violations in year
Costs and attorney fees can be awarded to State
35
HIPAA Action Plan Covered Entity Compliance
Update Policies Update Privacy Notice Communicate With BAs Regarding New Obligations BAA Amendments
Business Associate Compliance Security Risk Assessment Establish Policies Communicate with Subcontractors Regarding New Obligations BAA (Subcontractor) Amendments
36
Questions?
Susan Ziel, RN JD
(317) 238-6244
Gerald “Jud” DeLoss
(312) 423-9307
