Transcript Slide 1

Changes to HIPAA Privacy
and Security Requirements
Joel T. Kopperud
Scott A. Sinder
Rhonda M. Bolton
March 19, 2009
Overview
American Recovery and Reinvestment Act
(“ARRA”)
Stricter privacy and security obligations under HIPAA:
 Direct application to “business associates”
 Breach notification requirements for unsecured PHI
 Enhanced enforcement and penalties
Other changes to facilitate wider use of electronic health
records
Additional restrictions on sale, marketing of PHI
2
Overview – Refresher
“Protected health information” (PHI): individually
identifiable information, in any form, about health or
condition, treatment or payment, that is created or
received by provider, health plan (including
insurance issuer or agent), employer, or
clearinghouse.
“Covered entity”: a health care provider, health
insurance plan, or health care clearinghouse.
“Business associate”: entities that receive or are
exposed to PHI in the course of providing services
to or on behalf of covered entities.
3
Overview – Refresher
HIPAA Privacy Requirements for Covered
Entities:

Notice

Opt-in

Access

Administrative
(Obligations of business associates effectively the same)
HIPAA Security Safeguards re Electronic PHI for
Covered Entities:

Administrative (e.g., measures to prevent, detect,
security violations)

Physical (e.g., limit workstation and facility access)
 Technical (e.g., access control and audit)
(Obligations of business associates effectively the same)
4
New Privacy & Security Obligations
Obligations are now the same for “business
associates” as for “covered entities” under
the law
No longer just a matter of contractual obligation to covered
entity for whom business associate works
Means enhanced enforcement and penalties under the
statute will apply to business associates, in addition to any
contractual penalties for failure to comply with privacy and
security obligations
BUT, mechanics of day-to-day compliance should
not change unless need to adopt HHS-identified
best practices
5
New Privacy & Security Obligations
Breach Notification Requirement –
 Applies only to “unsecured” PHI
 “unsecured” = not protected by methods HHS will
identify in guidance to be published April 18, 2009
 Goes into effect September 15, 2009
 Only exceptions: inadvertent internal access, or
inadvertent disclosure by one authorized
employee to a fellow employee at the same
facility
6
New Privacy & Security Obligations
Breach Notification Requirement –
Business Associates: Notify Covered Entity
of Breach
 Identify each individual whose information
was, or reasonably may have been,
disclosed in the breach
7
New Privacy & Security Obligations
Breach Notification Requirement –
Covered Entities:
 Notify each individual whose information
was, or reasonably may have been, disclosed
in the breach
 Notify upon discovery of the breach
8
New Privacy & Security Obligations
Breach Notification Requirement –
Covered Entities -- Notice Specifics:


Timing: ASAP, but no more than 60 days after breach discovered

Content: provide brief description of what happened including
date of breach, date of discovery, types of PHI disclosed, steps
individuals should take to protect themselves, what’s being done
to investigate breach, contact info for further questions

HHS & Media notice: if more than 500 individuals in an area are
affected. If fewer than 500 affected, must be logged and sent to
HHS annually; logs will be publicly posted by HHS
Method: generally written, via mail; substitute notice via
publication possible for those with outdated/no contact info
9
New Privacy & Security Obligations
Breach Notification Requirement –
Personal Health Record (“PHR”) Vendors:
-- Same breach notification requirements apply;
includes entities offering products and services
through a PHR vendor’s website and those who
access and receive information from a PHR
-- PHR Vendors are now subject to regulation by Federal
Trade Commission regarding HIPAA compliance
10
New Privacy & Security Obligations
Breach Notification Requirement –
HHS will publish detailed rules on notification process
for covered entities and business associates
FTC will publish detailed rules on notification process
for PHR vendors
Both sets of rules to be published by August 16, 2009
11
New Privacy & Security Obligations
Breach Notification Requirement –
SAFE HARBOR
Adopt HHS-identified best practices
12
Enhanced Enforcement & Penalties
Broader Enforcement Mechanisms:
State Attorneys General may initiate civil enforcement in federal
court if HHS or DOJ do not prosecute
-- Injunctions
-- Fines up to $25,000 for all violations of an identical
requirement or prohibition per calendar year
-- Attorneys fees & costs
HHS OCR can investigate and fine for alleged criminal violations
even if DOJ does not prosecute
Individuals may now be criminally liable, not just covered
entities
HHS must conduct regular audits
13
Enhanced Enforcement & Penalties
Increased Penalties:
Unknowing violation:
-- $100-$50,000 per; max = $25,000-$1.5 million
“Reasonable cause” but not “willful neglect”:
-- $1,000-$50,000 per; max = $100,000-$1.5 million;
no fine if corrected within 30 days of discovery
“Willful neglect”:
-- Corrected within 30 days: $10,000-$50,000 per;
max = $250,000-$1.5 million
-- Not corrected: at least $50,000 per; max at least
$1.5 million
14
Changes Concerning Electronic PHI
Existing right of access amended to include right to access any
electronic PHI
OK to charge reasonable, cost-based fee
Existing right to an accounting of disclosures amended to
include accounting for electronic PHI disclosures
-- Runs for 3 years, prospectively
-- Obligation starts sooner (January 1, 2011) for those
who have not yet adopted electronic capability
Only disclose “limited data set” unless an exception applies
HHS will publish rules with more specifics
15
Other Noteworthy Changes
Health care providers can be barred from
disclosing PHI concerning items for which
individual paid out-of-pocket in full
Be aware that insurers may not receive all
information about health conditions/risks
16
Other Noteworthy Changes
Unauthorized sale of PHI prohibited
-- Exceptions for research, public health purposes; payments
limited
Marketing limitations (effective February 17, 2010):
-- Marketing in context of “health care operations” limited to
communications regarding health-care related product or
service
-- No payments from third parties to do marketing unless
merely describing a health care item or service previously
prescribed or administered to recipient
-- All other marketing involving PHI requires individual’s
authorization
17
Resources:
HHS website on HIPAA:
http://www.hhs.gov/ocr/privacy/index.html
(has general information)
Contact CIAB – check www.ciab.com for
more information or contact Joel Kopperud
([email protected]) with questions
18
Please Note:
These slides are intended to provide only a general overview of
selected issues related to the new HIPAA privacy and security
requirements. They do not provide a complete analysis. The
information provided is for general use only and is not intended to
provide specific advice or recommendations, legal or otherwise, for any
individual or organization. The information provided herein is not
intended to be and should not be construed as a legal opinion or
advice. You need to consult with your own attorney or other adviser
relating to your specific circumstances or those of any organization that
you advise.
If you have any questions about these slides, feel free to contact Joel
Kopperud with the CIAB at (202) 783-4400.
19
Changes to HIPAA Privacy
and Security Requirements
Joel T. Kopperud
Scott A. Sinder
Rhonda M. Bolton
March 19, 2009