Transcript Overview of the Patient Protection and Affordable Care Act

Gwinnett Managed Care, Inc.
Final HIPAA Privacy and Security Rules
July 10, 2013
Richard D. Sanders
THE SANDERS LAW FIRM, P.C.
7 Piedmont Center, Suite 300
3525 Piedmont Road
Atlanta, Georgia 30305
(404) 364-1819
[email protected]
S
1
Overview
S Background for HIPAA Changes
S Review New HIPAA Breach Notification Rules
S Summary of key provisions of the Final Rule
2
HITECH Revisions
Breach Notification
S Description of Breach Notification Requirements – Pre-HITECH
S Breach Notification – Interim Final Rule Provisions – August 24,
2009
S Guidelines for Risk Analysis
S HITECH Revisions to Enforcement and Penalties
S FIVE Things CEs Need to Do to Comply with the HITECH
Breach Notification Rules
S Breach….or No Breach
S Final Rule issued January 25, 2013; to be effective March 26, 2013
3
HITECH Revisions
Breach Notification
S Scope of Notification Requirements
S Applies to Privacy Rule breaches involving both electronic and paper
records
S “Breach” means the unauthorized acquisition, access, use or
disclosure of PHI which compromises the security or privacy of such
information (at 45 C.F.R. §164.402)
S Under the Final Rule any use or disclosure of unsecured PHI not
permitted under the HIPAA Privacy Rule is presumed to be a breach
requiring patient notification unless the Covered Entity or Business
Associate demonstrates that there is “a low probability that the
protected health information has been compromised."
4
HITECH Revisions
Breach Notification
S
Exceptions to “Breach” Definition
S Unintentional access to PHI by workforce member or other individual
acting under the authority of a CE or BA if:
S Good faith access and within the scope of authority of CE/BA; and
S Information not further acquired, accessed, used or disclosed by
such person in manner not permitted by Privacy Rule
S Inadvertent disclosure by person authorized to access CE’s or BA’s PHI
to another similarly situated person at same CE, BA or OHCA and PHI
not further used in manner not permitted by Privacy Rule
S Disclosure of PHI to unauthorized person if CE/BA has good faith
belief that such person could not reasonably be able to “retain” such
information
S The Final Rule removes the exception for limited data sets that do not
contain zip codes and dates of birth.
5
HITECH Revisions
Breach Notification
S Unsecured PHI Guidance
S HITECH defines “Unsecured PHI” as PHI not secured through use
of technology or methodology required in HHS guidance to render
PHI “unusable, unreadable or indecipherable to unauthorized
individuals”
S HHS issued guidance April 27, 2009, identifying two methods to
secure and render PHI unusable, unreadable or indecipherable to
unauthorized individuals:
S encryption and destruction
S HHS update of guidance required annually
6
HITECH Revisions – Breach Notification
S
Clarified meaning of “data” - in motion, at rest, in use and disposed
S
Encryption:
S
S
S
Successful use depends upon strength of encryption algorithm (computer program) and security of
the decryption key or process
S
Two approved processes:
S
For data considered to be “at rest” – NIST Special Pub 800-111, Guide to Storage Encryption
Technologies for End User Devices
S
For data considered to be “in motion” – Federal Information Processing Standards (FIPS) 140-2
S
Exhaustive methods, not illustrative
Destruction:
S
PHI in written form will be “secured” if materials shredded or destroyed and PHI cannot be read or
otherwise reconstructed
S
PHI in electronic form will be “secured” if information cleared, purged or destroyed consistent with
NIST Special Pub 800-88, Guidelines for Media Sanitization, such that PHI cannot be retrieved
7
HITECH Revisions – Breach Notification
S Updated HHS Guidance on Securing PHI
S In the preamble to the regulations for breach notification, HHS
updated its guidance on “securing” PHI.
S HHS:
S Rejected access controls, such as firewalls, as a method for
securing PHI.
S Rejected redaction as a means of securing PHI, and clarified
that only the destruction of paper PHI will render that PHI
secure.
S Clarified that encryption keys must be kept on a separate
device from the data that they encrypt or decrypt.
S Reiterated its reliance on certain NIST standards as meeting
the encryption standards required to secure PHI.
8
HITECH Revisions – Breach Notification
S Discovery of Breach – Section 164.404(2)
S On first day that known or by exercising reasonable
diligence could have been known (except by person
committing breach) to CE or BA
S CE/BA “deemed” to know when breach known or by
exercising reasonable diligence could have been known to
any workforce member or CE agent
S Meaning of “agent” determined by federal common law
of agency
9
HITECH Revisions
Breach Notification
S
Notice to Individuals – Section 164.404
S CEs must notify individuals if “unsecured PHI” has been, or is reasonably believed to
have been, accessed, acquired, used or disclosed as a result of a “breach”
S Written Notice
S Sent via first class mail unless the individual has specified a preference for e-mail
S Substitute Notice
S If insufficient or out-of-date information for individual or if notice is returned
undeliverable, CE must provide substitute notice
S If fewer than 10 individuals involved, notice may be by phone or other means
S If 10 or more individuals involved, notice must be by conspicuous posting for 90
days on CE Web site or in major print or broadcast media where affected individuals
reside
S Must include toll-free phone number active at least 90 days
S Notice must be reasonably calculated to reach individual
S Urgent Notice
S If possibility of imminent misuse of unsecured PHI, notice required by telephone or
other appropriate notice plus written notice
10
HITECH Revisions
Breach Notification
S
Timing of Notice to Individuals by CE – Section 164.404(b)
S
S
Must be made without unreasonable delay and in no case later than 60
calendar days after unsecured PHI breach discovery
Content of CE Notice to Individual – Section 164.404(c)
S The notice must include:
S
Description of breach (what happened including date of breach)
S
Types of information involved (such as SS#, DOB, address)
S
Mitigation, investigation, protective steps by CE
S
Steps for individuals to take for protection
S
Contact information to ask questions or obtain more information (must
include toll-free number, email address, Web site or postal address)
11
HITECH Revisions
Breach Notification
S
S
S
Notice to Media – Section 164.406
S If breach involves unsecured PHI of more than 500 individuals in state or jurisdiction, CE must
notify prominent media outlets
S Notice must be given without unreasonable delay and no later than 60 calendar days after breach
discovery
S Depending on the circumstances, an appropriate media outlet may include a local television station
or a major general interest newspaper with a daily circulation throughout an entire state
Notice to Secretary – Section 164.408
S If breach involves unsecured PHI of more than 500 individuals
S
Immediately, meaning without unreasonable delay and no later than 60 calendar days after
breach discovery
S
CEs listed on HHS Web site
S If breach involves unsecured PHI of fewer than 500 individuals
S
CEs must maintain log of breaches and submit annual report of breaches to Secretary
S
Date for submission will be identified on HHS Web site and will be no later than 60 days after
end of each CY
Report to Congress
S HHS must annually report breaches to Congress
12
HITECH’S Revisions to
Enforcement and Penalties
 HITECH Revisions
S Enforcement
HHS, specifically OCR, must formally investigate any complaint of
HIPAA violation if initial investigation indicates breach due to willful
neglect – effective February 17, 2011
S Required to impose CMP if willful neglect found
S OCR will perform audits of CEs and BAs (probably not random
onsite visits) – beginning February 2010
S Effective February 17, 2009 - State attorneys general may bring civil
actions in federal court for HIPAA violations
S HHS may intervene
S AGs may seek injunction or damages
S Only if HHS has not initiated lawsuit
S
13
HITECH’s Revisions to
Enforcement and Penalties
S Penalties (As per statute and October 30, 2009 Interim Final Rule)
S Applicable to CEs – February 18, 2009
S Applicable also to BAs – February 17, 2010
S Original bases for civil enforcement retained with increased penalties
S Penalties based on intent – state of mind
S CMPs collected transferred to OCR for purposes of enforcing the
Privacy and Security Rules
S OCR will consult with GAO to develop system within 3 years to
provide percentage of CMPs/settlement to individuals harmed
S Non-CEs (e.g., employees of CEs) may violate HIPAA if PHI
maintained by CE is obtained or disclosed by person without
authorization
S Criminal penalties
S Broad language
14
HITECH’s Revisions to
Enforcement and Penalties
S
Penalties (cont’d):
S Applies a tiered approach to CMPs
S Unknown or with reasonable due diligence would not have known:
S Not less than $100 or more than $50,000 for each violation OR
S In excess of $1.5 million for identical violations during a calendar year
S Reasonable cause that is not willful neglect:
S Not less than $1,000 or more than $50,000 for each violation OR
S In excess of $1.5M for identical violations during a calendar year
S Willful neglect and violation corrected within 30 day cure period:
S Not less than $10,000 or more than $50,000 for each violation OR
S In excess of $1.5M for identical violations during a calendar year
S Willful neglect and the violation not corrected within 30 day cure period:
S Not less than $50,000 OR
S In excess of $1.5M for identical violations during a calendar year
15
Proposed Rule Change for
HIPAA/HITECH Notice of
Privacy Practices
S The components of HIPAA Notice of Privacy Practices
require new notices regarding marketing and fundraising
S Authorization is required for any disclosure of PHI that is
made in exchange for direct or indirect remuneration, unless
a specified exception applies
16
Proposed Rule Change for
HIPAA/HITECH Additional Issues
S Privacy protection extends only 50 years after the death of
the patient
S Covered entities can charge patients for costs associated
with providing and individual ePHI on electronic media
17
Final Rule Change for
HIPAA/HITECH Effective Date
2013 RULE CHANGES
S The Department of Health and Human Services issued the
HIPAA/HITECH Act Omnibus Final Rule January 25,
2013 (the “Final Rule”).
S The Final Rule is effective March 26, 2013.
S Covered Entities will be required to comply with most
provisions by September 23, 2013.
18
HIPAA/HITECH ACT
OMNIBUS FINAL RULE
2013 RULE CHANGES
Breach Notification:
S
The Final Rule revises the definition of a “breach” and the standard for
determining patient notification is required.
S
The Final Rule replaces the harm threshold with a probability of PHI
being compromised threshold.
S
Any use or disclosure of PHI is presumed to be a breach requiring patient
notification unless there is “a low probability that the protected health
information has been compromised.”
19
HIPAA/HITECH ACT
OMNIBUS FINAL RULE
2013 RULE CHANGES
Breach Notification Cont.:
S
When determining whether there is a low probability that PHI has been
compromised, Covered Entities must take into account four (4) factors:
S The nature and extent of the PHI involved;
S The unauthorized person who used the PHI or to whom the PHI was
disclosed;
S Whether the PHI was actually acquired or viewed; and
S The extent to which the risk to the PHI has been mitigated.
20
HIPAA/HITECH ACT
OMNIBUS FINAL RULE CONT.
2013 RULE CHANGES
Business Associates and Contractors:
S
Under Final Rule, Business Associates and Contractors are now required
to comply with HIPAA Security Rule.
S
The Final Rule provides a transition period of an additional year for
Business Associate Agreements (“BAA’s”) that are currently in existence
to be in compliance with the Rule.
S
For Example: BAA’s that existed prior to January 25, 2013, and that are not
renewed or modified during the period from March 26, 2013 to September 23,
2013, the deadline to comply with Final Rule will be the earlier of the date on
which the BAA is renewed or modified; or September 22, 2014.
21
HIPAA/HITECH ACT
OMNIBUS FINAL RULE CONT.
2013 RULE CHANGES
Revised Privacy Notices:
S Under the Final Rule, Privacy Notices must now grant the
recipient the right to receive the breach notification.
S Covered Entities must obtain patient authorization before
using PHI for marketing purposes and before selling PHI.
S Covered Entities will need to provide a revised Notice of
Privacy Practices to individuals.
22
THANK YOU!!!
Richard D. Sanders
THE SANDERS LAW FIRM, P.C.
3525 Piedmont Road
Atlanta, Georgia 30305
(404) 364-1819
[email protected]
S
23
23