Embed Size (px)
DESCRIPTION
On January 25, 2013, the Office for Civil Rights (OCR) published their long-awaited updates to the HIPAA Privacy and Security Rule, the Omnibus Rules. These new rules are the first update of the HIPAA Privacy and Security Rules since the regulations were first published. Join BridgeFront and leading consultant and attorney, Susan A. Miller, JD in this presentation that addresses the critical updates and changes that affect business associates. The Omnibus Rules becomes effective March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA.
Citation preview
HIPAA Omnibus Rule
Presented by
Susan A. Miller, JD
Hosted by
Critical Changes for Business Associates
agenda
• What the Omnibus Rule includes
• Effective and Compliance Dates
• Business Associates
• Breach Notification
• Genetic Information Non-discrimination Act (GINA)
• Enforcement
• Questions
Dates + 4 RulesThe Omnibus Final Rule is effective on March 26, 2013 and the compliance date is September 23, 2013:
• July 2010 Notice of Proposed Rule Making (NPRM)
on HITECH privacy and security changes to HIPAA
• October 2009 Notice of Proposed Rule Making
(NPRM) on Genetic Information Nondiscrimination
Act (GINA) changes to HIPAA
• August 2009 Interim Final Rule (IFR) on HIPAA Breach
Notification
• October 2009 Interim Final Rule (IFR) on HIPAA
Enforcement Rule
Business Associates Under HITECH
Who is a Business Associate?
● Omnibus Final Rule: An entity that “…creates, receives,
maintains, or transmits [PHI] for a function or activity regulated by [HIPAA]…” on behalf of a Covered Entity
● Omnibus Final Rule expanded the definition of Business
Associates to include:
● Health Information Organizations
● E-prescribing Gateways
● Personal Health Records (PHR) providers on behalf of a Covered
Entity
● Patient Safety Organizations
● Subcontractors that create, receive, maintain, or transmit Protected
Health Information (PHI) on behalf of Business Associates
● Subcontractor means a person whom a Business Associate
delegates a function, activity, or service, other than in the
capacity of a member of the workforce of such Business
Associate
New Business Associate Obligations
Summary of BA Obligations Prior to HITECH
● Prior to the HITECH Act, a BA was not subject to direct
enforcement and compliance with HIPAA Privacy and
Security requirements
● A BA’s obligations arose solely under the terms of its BA
agreement with the Covered Entity (CE)
● The BA was subject only to contractual remedies for
breach of the BA agreement (BAA)
New Business Associate Obligations
Summary of BA Obligations Under Omnibus Final Rule
● Direct compliance with all requirements of the HIPAA
Security Rule
● Directly liable for impermissible uses and disclosures of
PHI under HIPAA
● Provide CE with notice of breach in accordance with
the Breach Notification Rule
● Required to provide access to a copy of electronic PHI
to the CE (or the individual)
● Provide PHI where required by the Secretary to
investigate the BA’s compliance with HIPAA
● Provide an accounting of disclosures as required by
HITECH (Final Rule Pending)
New Business Associate Obligations
BA Security Rule Compliance and Oversight
● The Omnibus Final Rule requires BAs to comply with the
HIPAA Security Rule’s requirements and implement
policies and procedures in the same manner as a CE
● Requires BA to implement:
● Administrative
● Physical, and
● Technical Safeguards
in compliance with the HIPAA Security Rule (most BA
agreements require this by contact)
● Compliance date under the Omnibus Final Rule –
9/23/13
New Business Associate Obligations
BA Security Rule Compliance and Oversight (Cont’d)
● BAs must conduct a risk assessment and be more
proactive and diligent to monitor new rules, regulations
and guidance
● Large BAs may already have a comprehensive security
compliance program
● Smaller BAs, particularly those that are not exclusively
dedicated to the healthcare industry, may have a lot of
work to do
● The good news – the Security Rule reflects prudent risk
management practices and flexible standards
New Business Associate Obligations
BA Privacy Rule Limited to HITECH Changes
● The HITECH Act does not impose ALL Privacy Rule
obligations upon a BA
● BAs are subject to direct enforcement of HIPAA Privacy
obligations and penalties in the same manner as a CE,
BUT only to the extent required under HITECH – not all
the HIPAA Privacy Rule obligations
New Business Associate Obligations
BA Privacy Rule Impacts
● Disclosure of Protected Health Information (PHI) must be
kept to limited data set or minimum necessary
● Health Provider must honor a request by any individual to
restrict disclosure of PHI to Health Plan if individual pays for
service out-of-pocket in full
● Individual has a right to a copy of PHI in electronic format
● Sale of PHI prohibited unless authorized by individual
● Certain marketing communications require authorizations
● BA must comply with all the above requirements to the
extent applicable to BA’s access to PHI on behalf of CE
● Compliance date under Omnibus Final Rule – 9/23/13
New Business Associate Obligations
BAs and Breach Notification
● BA must notify CE in the event of a breach of unsecured
PHI
● Notice must be made without unreasonable delay and
not more than 60 days from when the breach was
discovered (CEs typically seek to shorten this time)
● Discovery is when BA knew or “should have known”
● Breach Notice to CE must identify the individuals whose
PHI was involved in the breach
● BA must provide any other available information that
the CE is required to provide in its notice to individuals
New Business Associate Obligations
BA Agreements (BAA)s Required Provisions
● Omnibus Final Rule clarified the required HITECH Act
Provisions:
● BA required to comply with ALL HIPAA Security Rule
obligations
● BA must report to CE any breach or unsecured PHI as
required by the Breach Notification Rule
● BA must enter into BAAs with sub-contactors
imposing the same obligations that apply to the BA
● BA must comply with the HIPAA Privacy Rule to the
extent the BA is carrying out a CE’s obligations under
the HIPA Privacy Rule
New Business Associate Obligations
BAAs Implementation Timeline
● For HIPAA compliant BAAs executed prior to publication
of the Final Rule (1/25/2013) – Entities may have up to 1
additional year beyond the 9/23/2013 Compliance Date
● BAAs executed PRIOR to 1/25/2013 that are not set to
terminate or renew before 9/23/2013 – These must be
compliant by the earlier of the renewal date or
9/22/2014
● For new BAAs executed AFTER 1/25/2013 or existing
BAAs scheduled to be renewed before 9/23/2013 –
These must be compliant by 9/23/2013
New Business Associate ObligationsPreparing to Amend BA Agreements
● Evaluate your own identity: Are you a BA? Are you a CE?
● Prepare to engage business partners by creating a list of all
contracted entities and assess whether PHI is involved
● Do you currently have BAAs in place? If not, are they needed?
● Engage legal counsel to review your standard BAA against
HITECH and the Omnibus Final Rule and draft any needed
updates based on required provisions and organizational
needs/risks
● Educate yourself on all HIPAA and HITECH requirements and BAA
required provisions and monitor Office for Civil Rights (OCR)
closely for additional regulatory publications and
announcements
● OCR maintains sample BAA provisions on its website at:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coverede
ntities/contractprov.html (updated 1/25/2013)
New Business Associate Obligations
Agency Relationship Considerations
● The Omnibus Final Rule makes clear that a CE is liable
for the acts or omissions of its BA acting within the scope
of “agency”
● BAs are likewise liable for the acts or omissions of its
Subcontractor acting within the scope of “agency”
● This means:
● An entity can be penalized for its agent’s violations
● Knowledge by the agent will be imputed to the principal
(e.g., knowledge of a breach or other violation)
● Federal common law of Agency will govern whether an
agency relationship exists between the parties -
regardless of what the contract actually says
New Business Associate Obligations
Agency Relationship Considerations (Cont’d)
● Whether an agency relationship exists will depend on the right
or authority of the CE to control the BAs conduct and
performance based on the right to give interim instructions
● Agency Consideration Factors
● The time, place and purpose of the BAs conduct
● Whether the BA engaged in a course of conduct subject to
control by the CE
● Whether the BA’s conduct is commonly done by a BA
● Whether or not the CE reasonably expected that a BA would
engage in the conduct in question
● This will be a fact-specific analysis and in some cases an
agency relationship may exist simply based on the nature of
the relationship between the CE and BA
New Business Associate Obligations
Liability for Agents
● CE is liable for acts of agents within the scope of agency
● Includes members of workforces
● Includes agents who are business associates regardless of
whether BA contract is in place
● BA is also liable for acts of agents within the scope of agency
● Workforce
● Agents who are subcontractor business associates
● Fact specific: taking into account
● Business associate contract and
● Totality of circumstances of relationship
● Does the CE have authority to provide interim instructions
or directions?
New Business Associate ObligationsBAs: Evaluate HIPAA Security Rule Compliance
● Review OCR Security Rule Guidance athttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/s
ecurityruleguidance.html
● National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-66 is another good resource
● Conduct a HIPAA Security Risk Assessment
● This will help identify areas of vulnerability and threats against
existing controls and actions to address
● NIST SP 800-30 is a good place to start
● NIST Security Risk Assessment Toolkit; download free at
http://scap.nist.gov/hipaa/
● NIST SPs available at: http://csrc.nist.gov/publications/PubsSPs.html
● Review OCR Enforcement Audit Protocol at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.
html
Breach Notification
● HITECH Act: First federal law mandating breach notification for
the health care industry; applies to:
● Covered Entities
● Business Associates
● Personal Health Records (PHR) vendors, and
● PHR service providers
● Federal Trade Commission (FTC) regulates PHRs
● Health and Human Services (HHS) regulations CEs and BAs
Breach Notification
Remember State Law
● 46 states (plus DC, Puerto Rico, and the Virgin
Islands) have notification laws
● Evaluate state law as well as the Omnibus Rule
requirements:
● Trigger
● Timing
●Content
●Recipients
Data Breach Notification Overview
●Upon discovery of a
●Breach of
●Unsecured
●Protected Health Information (PHI)
●Covered Entities and Business Associates
must make notifications
●Subject to certain exceptions
Definition of Breach
●Breach of
●Unauthorized acquisition, access, use
disclosure of unsecured PHI
● In a manner not permitted by the HIPAA
Privacy Rule
●That compromises the security or privacy
of PHI
●So far so good, but …
Omnibus Final Rule Presumption
●An impermissible acquisition, access, use
disclosure of unsecured PHI is
●Presumed to be a reportable breach
●UNLESS the entity demonstrates that there is
a low probability that the PHI has been
compromised (lo pro co)
●Compromise is not defined by the HIPAA
Rules; from the preamble: “inappropriately
viewed, re-identified, re-disclosed, or
otherwise misused”
Breach Risk Assessment
● A documented risk assessment needs to
demonstrates that there is a low probability that the
PHI has been compromised
● Four mandatory factors:
● What PHI: Nature and extent of PHI involved
● Who: The unauthorized person who used the PHI or to
whom the disclosure was made
● Acquired: Whether the PHI actually was acquired or
viewed
● Mitigation: The extent to which the risk to the PHI has been
mitigated
● Other factors may be considered – Evaluation of
overall probability
Breach Risk Assessment
●Risk Assessment must be:
● Thorough
●Completed in good faith
●Have reasonable conclusions
●Discretion to provide notification without
performing risk assessment
Lose an Exception
●Unauthorized person not reasonably have
been able to retain PHI
●Certain good faith or inadvertent access by
or disclosures to workforce in same
organization
●De-identified information does not pose risk
of harm
●Limited data sets without birth dates and zip codes
Timing of Notice
●Notification must be made “without
unreasonable delay”
●No more than 60 days after discovery
●Subject to law enforcement delay
Discovery
●“Discovery” of a breach occurs when:
●Entity has actual knowledge of a breach
including through a workforce member
or agent (but not person committing the
breach) or
●Using reasonable diligence, entity would
have known of the breach
●Remember: agency is based on federal
common law
Contents of Notice to Individuals
●Notices must contain: ● Brief description of what occurred
● Description of types of unsecured PHI involved
(e.g., name, SSN, DOB, address) but not the
actual PHI
● Steps individuals should take to protect
themselves
● Brief description of what Covered Entity is doing
to investigate the breach, mitigate the damage,
and protect against further breaches
● Contact information for questions
Breach Notification
● Covered Entity to notify affected individuals
● Written notice
● Substitute notice
● Covered Entity to notify HHS
● Timing depends on the size of the breach
● 500 or more = contemporaneous notification
● Small breaches (<500) = annual notification
● Within 60 days of the end of the calendar year in
which the breach was discovered (not occurred)
● Covered Entity may have to notify media if more
than 500 residents in a State affected
● Business Associates to notify Covered Entity
Practical Steps
● Revise breach notification policies and
procedures
● Security Risk Analysis – revisit (or do)
●Develop or revisit Security Incident Response
Plan
● Pay special attention to portable media and
personal devices
● Train entire workforce● Avoidance
● Alert to potential breaches
● Response to breach
Practical Steps
● Prepare incident response team
● Be ready to respond to news media attention –
have a designated spokesperson
● Consider tightening Business Associate
Agreements, particularly for agents
● Encryption! Make the most of the encryption safe
harbor, and Verify document destruction
● National Institute of Standards and Technology (NIST)
Guidance specifying the technologies and
methodologies that render PHI unusable, unreadable, or
indecipherable to unauthorized individuals
● Audit access to PHI and enforce policies
GINA
● Genetic Information: broadly defined to include
manifestation of a disease or disorder in a family
member of an individual in addition of genetic tests
of individuals and family members and receipt if
genetic services
● A Health Plan that uses or discloses PHI for
underwriting purposes must revise its NPP stating
that it will not use or disclose genetic information for
such purposes
● Health Plan definition has also been revised; HHS
has exercised its authority to expand GINA to
include all Health Plans except for Long Term Care
Health Plans
Increased Enforcement
●HITECH Act significantly strengthened HIPAA
Enforcement
● Interim Final Rule of October 2009
● Created 4 categories of culpability with
corresponding penalties
● Took effect immediately
●Omnibus Rule = Final Enforcement Rule
●Enforcement Rule applies to Covered
Entities and Business Associates
Increased Enforcement
●Focus on Willful Neglect
●Willful Neglect: conscious, intentional
failure or reckless indifference to the
obligation to comply with HIPAA
●OCR will investigate all cases of possible
neglect
●OCR will impose penalty on all violations
due to willful neglect
Increased EnforcementViolation Category Each Valuation All Identical Violations for
Calendar Year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1000 - $50,000 $1,500,000
Willful Neglect –corrected in 30 days
$10,000 - $50,000 $1,500,000
Willful Neglect – not corrected
$50,000 $1,500,000
Limits are per type of violation, e.g., four types of continuous violations
over three years could equal $18 million
What to Do Now!
●Create a Culture of Compliance
● OCR aggressively enforcing the HIPAA Privacy,
Breach and Security Rules
● OCR suggests that Covered Entities and Business
Associates should have a robust HIPAA Privacy
and Security Compliance Program, including:
● Employee Training
● Vigilant implementation of policies and
procedures
● A prompt plan to respond to incidents and
breaches
● Regular internal audits
Sample Fines• CVS: Privacy, $2.25M, 2009: Complaint
• Cignet: Privacy, $4.3 M, 2011: CMP, Complaint
• Phoenix Cardiac Surgery: Privacy & Security $100K,
2012: OCR Audit
• MEEI: Security, $1.5M, 2012: Self Reported Breach
• BCBS Tennessee, $1.5M, 2012: Self Reported Breach
• Alaska Medicaid, Security, $1.7 M, 2012: Self Reported
Breach
• Hospice of North Idaho, Security, $50,000, 2013: Self
Reported Breach of less than 500
• PLUS Onerous Corrective
Action Plans
QUESTIONS
Susan A. Miller, JD
(O) 978-3692092
(C) 978-505-5660
Thank You!
