Webinar: Your HIPAA Omnibus Rule Compliance Checklist

BridgeFront www.bridgefront.com [email protected] (866) 447-2211

Lewis Creek Systems, LLC

BridgeFront Welcomes You To:

HIPAA Omnibus Rule Compliance Checklist

Conference Line: (646) 558-2121Access Code: 903-718-495

With Presenter:

Jim Sheldon-Dean, Director of Compliance ServicesLewis Creek Systems, LLC

If you are experiencing difficulties hearing or seeing this presentation, send an email to [email protected] or call 1 (866) 447-2211.

http://www.bridgefront.com/

mailto:[email protected]



Jim Sheldon-DeanLewis Creek Systems, LLC

Today’s Presenter:

HIPAA Omnibus Rule Compliance Checklist




About Jim Sheldon-Dean BSCE (Civil Engineering) from UVM, MST (Transportation) from

MIT

More than three decades in consulting, information systems, and software development

Process, problem-solving oriented

Eight years as Vermont EMT, crew chief

12 years specializing in HIPAA and health information privacy and security consulting

Involved in WEDI, HIMSS, VITL, frequent speaker about HIPAA and information privacy and security

See www.lewiscreeksystems.com for more details, resources, information security compliance news, etc.


http://www.lewiscreeksystems.com



Our Time Together

Changes to HIPAA privacy policies and procedures.

New process for deciding on breach report-ability.

Changes to HIPAA business associate relationships.




HITECH Act Updates to HIPAA

• Most of the proposed rules finalized in the big HIPAA Omnibus Update published January 25, 2013, effective March 26, 2013, enforceable September 23, 2013

• Omnibus Update Rule, with Preamble, available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

• New Combined Rules published by HHS OCR, at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html


http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html



Poll Question #1

Is your organization ready for the HIPAA Omnibus compliance deadline?

o Yes

o No

o I Don't Know




What’s New in HIPAA?

• New individual rights for access and requesting restrictions

• New restrictions on disclosures for marketing, sale of PHI; changes to rules for use of PHI for fundraising

• Notices of Privacy Practices must be updated

• Expansion of rules to Business Associates

• Change in the way to determine whether or not a breach must be reported

• New restrictions on use of genetic information by health plans

• PHI not protected >50 years after individual’s death

• No changes to Accounting of Disclosures or CLIA, yet…




Designated Record Set

(1) A group of records maintained by or for a covered entity that is:

(i) The medical records and billing records about individuals

maintained by or for a covered healthcare provider;

(ii) The enrollment, payment, claims adjudication, and case or

medical management record systems maintained by or for a

health plan; or

(iii) Used, in whole or in part, by or for the covered entity to

make decisions about individuals.




Use vs. Disclosure

• Per 45 C.F.R. §164.103 HIPAA Definitions

• Disclosure: the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information

• As distinct from Use: the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that maintains such information




Restriction of Disclosures

HITECH §13405(a):

Individual may request no disclosure to insurer if paid out of pocket, must comply

In the HIPAA Omnibus Update, now under §164.522(a)(1)(vi)




Impact of Restriction of Disclosures to Insurers

• Must have a policy/procedure/process

• Required in your EHR to meet the law

• Can you flag such encounters?

• What about pass-through effects?

• Issues with aggregated data

• What about contracts with insurers?

• Must be in the Notice of Privacy Practices




Individual Access of PHI

• HIPAA §164.524: Must have a process for individual to request access, for reasonable cost-based fee

• Must provide the entire record in the Designated Record Set if requested:– Medical and billing records used in whole or in part to make decisions

related to health care

– New: Information kept electronically must be available electronically if requested

– Exceptions for Psychotherapy notes, CLIA, others

– Changes to HIPAA and CLIA proposed to allow access of lab information by individuals, not finalized yet

• New: 30-day extension for off-site records no longer allowed




Impacts of Individual Access ofEHR Information

• All kinds of electronic info in designated record set, not just your formal EHR

• Have you performed inventory of PHI?

• Are access procedures in place?

• Who responds to requests for access?

• What are acceptable formats for electronic access?

• What if the patient wants you to send plain e-mail?

• Need to update the Notice of Privacy Practices




Individual Preferences for Communication

• §164.522(b)(1) Standard: Confidential Communications Requirements

– (i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations.

• §164.524(c) Provision of Access– (2) Form of access requested. (i) The covered entity must provide the

individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format….

– New (c)(2)(ii): If PHI is electronic, individual may request electronic copy.




Calculating/Evaluating Risk

• Each Risk Issue has an Impact and Likelihood

– Impact is how great the damage would be; more information about more people with more detail is greater

– Likelihood is how likely it is that the risk issue would become a reality

• Risk = Impact x Likelihood

– If risk level appears low, an informed risk decision can be made by the patient

– Rights can not be given up under HIPAA, but individuals can make an informed risk decision




Marketing Changes

• Marketing still requires an Authorization

• Treatment and healthcare operations do not require an authorization (with notice in the HIPAA Notice of Privacy Practices), except:

• Authorizations are required for all treatment and healthcare operations where the Covered Entity receives financial remuneration from a third party whose product or service is being marketed

• Exemptions from Authorization Requirement for Face to Face communication, Refill reminders or other info about a drug or biologic that is currently prescribed (unless there is remuneration), Communications promoting health in general and that do not promote a product or service from a particular provider, and Communications about government and government-sponsored programs




New Restrictions on Sale of PHI

• HIPAA §164.508(a)(4): If you disclose for remuneration, you must have an authorization stating that the disclosure results in remuneration

• Exceptions for public health, research, treatment and payment purposes, sale of practice, transfer to a BA providing services, to the individual, etc.




Fundraising Changes

• HITECH §13406(b) now effective under HIPAA §164.514(f)(1): Opportunity to Opt Out of Fundraising

• Demographic information, dates of healthcare services, department providing services, physician, health plan status, and outcome can be used for fundraising without authorization

• Notice of Privacy Practices must state so, may need to modify

• Easy Opt-out must be provided, by campaign or for all campaigns, must be honored, and can’t be used to condition treatment or payment




Update Notice of Privacy Practices

• HIPAA Notice of Privacy Practices must reflect individual rights and controls on uses and disclosures– New right of access to electronic PHI

– New right of restriction of disclosures

– New right to be notified in the event of a breach

– Changes to Marketing and Fundraising

– GINA notice for health plan NPPs

• Must update policies and NPP together, by deadline

• Start using (and post) new version; no requirement for providers to redistribute to all patients




Poll Question #2

Has your HIPAA Notice of Privacy Practices been updated?

o No, not yet

o No, but we’re working on it

o Yes, we’re about to implement it

o Yes, we have already implemented it




Big Changes for Business Associates

• New definition of what is a Business Associate

• New application of rules directly to BAs

• New consideration of how the rules apply to “cloud” based vendors

• Need to update all Business Associate Agreements




What is a Business Associate?

• An individual or entity, not acting as an employee, that: – Creates, receives, maintains, or transmits protected health

information for a function or activity regulated by HIPAA on behalf of a covered entity (CE) or another BA

– Provides legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services and needs PHI to do it

• Anything a CE or BA could do itself but has someone else do it for them, involving creation, receipt, maintenance, or transmission of PHI

• Now includes subcontractors, Patient Safety Organizations, Health Information Exchanges




What is a Business Associate?

• Includes:– Billing service

– Shredding service

– Systems vendors who access PHI

• Does not include those who would have no reason to use, disclose, create, receive, maintain or transmit PHI, such as:– Tradesmen (plumber, etc.)

– Housekeeping, etc.

• Not Payers, other Providers, or Workforce Members

• Not Conduits (USPS, FedEx, etc.)




Business Associates Now Directly Regulated by HIPAA

• Security Rule applies

• Breach Notification Rule applies

• Privacy Rule Use and Disclosure provisions apply

• Business Associates responsible for having contracts with Covered Entities and Subcontractors

• Business Associates liable for compliance and violations

• Contracts signed since January 25, 2013 must meet new standard by September 23, 2013

• Older, compliant contracts signed before January 25, 2013 and “evergreen” contracts have until September 23, 2014




Conduits, Persistence of Custody & Clouds

• A narrow BA exception for Conduits – simple delivery only

• Persistence of Custody of PHI creates a BA relationship

• Regular e-mail services have persistent custody of messages

• Are Cloud vendors Business Associates?

• Now under review by HHS (and cloud vendors)

• Principle of Persistence of Custody of PHI may apply in Cloud

• Don’t forget: Security includes Confidentiality, Integrity, and Availability

• Consider persistence of custody PHI, even if encrypted




Preparing to Update BAAs

• Prioritize by risk, expiration date

• Review for liability and indemnification of breaches

• Include new required elements– Requirements for BAs and their subcontractors to comply with the

HIPAA Security Rule, & specific sections of the HIPAA Privacy Rule

– New language surrounding breach notification and the securing of PHI

– New disclosure-related requirements for Electronic Health Records

– Removed: Requirement for clause obligating CEs to report noncompliance by a downstream entity to HHS

• New sample Business Associate Agreement provisions: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html


http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html



Poll Question #3

Do you use any “cloud” vendors for handling any of your PHI?

o No, we don’t

o Yes, but we don’t treat them as Business Associates

o Yes, and we have them under a BA Agreement

o I don't know




One (Big) Change in Breach Notification

• Breach Notification final rule is same as proposed, with one change

• Significant change to how you decide if a breach must be reported or not




What is a Breach?

• A Reportable Breach is acquisition, access, use, or disclosure of unsecured PHI in violation of Privacy Rule; with some exceptions by law if: – PHI is destroyed

– Unintentional, in good faith, with no further use (within your organization)

– Inadvertent and within job scope (within your organization)

– Info cannot be retained

• “Harm Standard” for evaluation of need to report removed

• Not reportable if there is a “low probability of compromise” of the data, based on a risk assessment




Is It a Reportable Breach?

• All breaches not meeting an exception are reportable unless there is a “low probability of compromise” of the data, based on a risk assessment including at least:

– what was the info, how well identified was it, and is its release “adverse to the individual”

– to whom it was disclosed

– was it actually acquired or viewed

– the extent of mitigation




Breach Notification Decision Tree Step 1

• Was there acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule?

• If No, not a breach, end of process

• If an incident, document the incident fully and the determination of “not a breach”

• If Yes, Go on to Step 2





• Was the information secured according to HHS guidance, or destroyed?

• If Yes, not reportable, end of process; document the incident and determination of “not a reportable breach”

• If No, may be able to use lower security encryption in the evaluation of risk later in Step 5; go on to Step 3





• Was the potential breach internal to your organization, AND unintentional, in good faith, with no further use, or inadvertent and within job scope?

• If Yes, not a breach, end of process, document the incident and determination of “not a breach”

• If No, go on to Step 4





• Is there no way the breached information can be retained?

• If there is no way the PHI was retained, it is not a breach; end of process, document the incident and determination of “not a breach”

• If the breached information may be retained in some way, go on to Step 5





• If you’ve gotten here, you have a breach, and now the only way to keep from having to report it is to do a risk assessment to see if there is a “low probability of compromise”

• If there is a low probability of compromise, it is not reportable, end of process, document incident and determination of “not a reportable breach”

• If NOT a low probability of compromise, MUST report




Breach Notification Risk Assessment

• Not reportable if there is a “low probability of compromise” of the data, based on a risk assessment including at least:

– what was the info and how well identified was it (and is its release “adverse to the individual”)

– to whom it was disclosed

– was it actually acquired or viewed

– the extent of mitigation




Factor 1: Extent and nature of PHI

• Evaluate the nature and extent of the PHI Involved including the types of identifiers and the likelihood of re-identification – Consider:

– Financial and clinical sensitivity of the information

– Are direct or indirect identifiers are included

– Can the information be linked for re-identification

– Does the person receiving the PHI have the ability to re-identify the PHI




Factor 2: Who Received the PHI

• Evaluate the nature of the unauthorized person who used the PHI or to whom the disclosure was made – Consider:

– Does the person have obligations to protect the privacy and security of the PHI

– Is the identity of the unauthorized person known

– What is the likelihood that the information would be used by an unauthorized recipient to adversely affect individuals or for personal gain




Factor 3: Was the PHI Viewed

• Evaluate whether the PHI Involved was actually acquired or viewed – Consider:

– Was there opportunity to acquire or view the PHI

– Was the potential breach discovered and prevented before PHI was viewed or acquired

– What information are you relying on?




Factor 4: Was It Mitigated

• Evaluate the extent to which the risk to the PHI has been mitigated – Consider:

– Were satisfactory assurances obtained that PHI will not be further used or disclosed

– The person providing satisfactory assurances

– Are the satisfactory assurances written




Notification Determination Process Summary

1. Was there acquisition, access, use, or disclosure in violation of the Privacy Rule?

2. Was it secured?

3. Does it qualify for one of the internal exceptions?

4. Is the information un-retainable?

5. Is there a low probability of compromise per a risk assessment?




Poll Question #4

Do you have a breach notification policy and procedure in place?

o Yes, and we have used it

o Yes, but we haven't had to try it yet

o I think we have some informal policy somewhere

o Yes, but it's not adequate

o No




Statistics on HIPAA Breach Notification

• For reported breaches of 500 or more individuals’ PHI in the first year of the reporting requirement:

– 76% of breaches involve loss (15%), theft (56%), or improper disposal (5%) – Old-fashioned physical security of valuable data

– 17% are caused by unauthorized access or disclosure

– 6% are caused by hacking

• Portable data, laptops, smart phones, memory sticks the leaders for breaches of PHI

• HHS Wall of Shame for large breaches: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html


http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html



Most Frequent HIPAA Security Issues, per HHS OCR

• Lack of Incident Response and Reporting Process

• Lack of Security Awareness and Training

• Poor Technical Access Control

• Poor Administrative Information Access Management

• Poor Physical Workstation Security

Source: Presentation by OCR at NIST/OCR HIPAA Security Conference, May 11, 2011




Lessons Learned From PHI Breaches

• Have physical safeguards for areas where paper records are stored or used

• Reduce risk through network or enterprise storage as alternative to local devices

• Encrypt data at rest on any desktop or portable device/media storing ePHI

• Have clear and well documented administrative and physical safeguards on the storage devices and removable media which handle ePHI

• Raise the security awareness of workforce members and managers to promote good data stewardship




New Enforcement Definitions

• Reasonable Cause: An act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect

• Reasonable Diligence: Business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances

• Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated




Tiered Penalty Structure

• HIPAA Privacy Rule §160.404 – Penalty Amounts

• Tier 1: Did not know and, with reasonable diligence, would not have known – $100 - $50,000 per violation

• Tier 2: Violation due to reasonable cause and not willful neglect –$1000 - $50,000 per violation

• Tier 3: Violation due to willful neglect and corrected within 30 days of when known or should have been known with reasonable diligence –$10,000 - $50,000 per violation

• Tier 4: Violation due to willful neglect and NOT corrected within 30 days of when known or should have been known with reasonable diligence –$50,000 per violation

• $1.5 million maximum for all violations of a similar type in a calendar year




HHS is Serious about Enforcement

• $4.3 million fine for Cignet Health of Maryland for multiple violations

• $1 million settlement with Mass General Hospital

• $865K+ settlement with UCLA Medical Center for snooping in records

• Multiple multi-million dollar settlements with pharmacies

• $100K settlement with a physician’s office for Security Rule violations

• $1.5 million settlement with BC/BS of Tennessee for lost hard drives

• $1.7 million settlement with Alaska Medicaid for lack of security process

• $1.5 million settlement with MEEI for lack of security for portable devices

• $500K settlement with Hospice of North Idaho for insecure laptop

• $400K settlement with Idaho State University for insecure server, process

• $275K settlement with Shasta Regional Med Center for inappropriate disclosure of PHI and lack of sanctions for violations

• $1.7 million settlement with WellPoint for insecure server, no process

• $1.2 million settlement with Affinity Health for insecure disposal of copiers




Your To-Do List…

Don’t be in denial – willful neglect will cost you

Prepare for new individual rights

Find and prioritize (by risk) BA agreements

Make sure EHR vendors can meet restriction requirements and provide electronic copies

Update your Breach Notification evaluation process

Review your policies and procedures per the rules

Document, document, document!

Conduct drills in audit and breach response

Make corrections based on results

Always have a plan for moving forward, and follow it!




Please let me know if you have any questions! I’m always happy to help.

Jim Sheldon-Dean

[email protected]

www.lewiscreeksystems.com

802-425-3839

Thank You!


mailto:[email protected]

http://www.lewiscreeksystems.com

Health & Medicine

Webinar: Your HIPAA Omnibus Rule Compliance Checklist