Transcript Slide 1

HIPAA CHANGES: HITECH
ACT AND BREACH
NOTIFICATION RULES
February 3, 2010
Kristen L. Gentry, Esq.
Catherine M. Stowers, Esq.
Overview: The Privacy and
Security Rules
 HIPAA Privacy Regulations effective April 14, 2003(4)
(“Privacy Rule”)
 HIPAA Security Regulations effective April 20, 2005(6)
(“Security Rule”)
 Rules apply to Health Plans, Health Care providers and
Health Care Clearinghouses – HIPAA “Covered Entities”
 Self-funded health plans (including HRAs, health flexible
spending plans) required to fully comply with Privacy and
Security Rules; fully-insured plans (group medical, dental
vision policies) have limited compliance obligations
because of limited PHI access.
HIPAA’s Privacy and Security
Rules Apply to “PHI”
• Under the Privacy Rule, any unauthorized uses and
disclosures of participants’ “PHI” by the Plan are
prohibited
 PHI Defined: information about past, present, or future
physical or mental health condition, or payment for
medical treatment, if the information identifies or could
be used to identify the participant. Includes electronic
information (“ePHI”) as well as any other form.
 Does not include employment/FMLA records, disability
insurance records, ADA information, drug screen results,
or fitness for duty tests maintained by an employer
outside of its role as Plan sponsor.
Certain Uses and Disclosures
of PHI Permitted
 Uses and Disclosures between Covered Entities
 Uses and Disclosures for Treatment, Payment,
and Health Care Operations (“TPO”)
 Uses and Disclosures to a Business Associate
(organization providing administrative,
consulting or other services to the Plan) if BA
agreement in place
 Uses and Disclosures pursuant to a valid HIPAA
authorization
Individual Rights Created;
Compliance Steps Required
 Individual rights include right to notice of privacy
practices, right to request restrictions on PHI uses and
disclosures, right to confidential communications, right to
access and amend PHI, and right to accounting of
disclosures.
 Plan required to appoint Privacy Officer and Security
Officer
 Plan amendments required so Plan sponsor could
access PHI
 Standards related to scope of permitted disclosures
(“minimum necessary standard”), marketing, sale and
other uses of PHI implemented
Privacy and Security Policies
and Procedures
Plan must adopt privacy and security policies
and procedures to address its compliance with
all aspects of HIPAA Privacy Rule and Security
Rule, including:
• How and to whom PHI will be used and disclosed,
including a policy for identifying and entering into
Business Associate agreements;
• Which Plan employees will be authorized to access PHI;
• How workforce training will be addressed;
• How participant rights will be protected;
Privacy and Security Policies
and Procedures
 How internal safeguards will be established (e.g.
access controls, firewalls, encryption, password
protection);
 What policy and process will apply for
complaints and sanctions related to HIPAA
violations;
 How administrative, technical and physical
safeguards required by Security Rule will be
addressed and implemented.
Other Key HIPAA Concepts
Prior to HITECH Act
 Business Associates (BAs) of Plans only
obligated to comply with HIPAA as required in
Business Associate agreements.
 Informal Compliance Assistance provided by
CMS and OCR; enforcement was not aggressive
and health plan HIPAA audits were uncommon.
 No Private Right of Action.
HIPAA Changes in ARRA

HIPAA Privacy and Security Rules unchanged
until the American Recovery and
Reinvestment Act of 2009 (ARRA) was signed
into law on February 17, 2009.


The Health Information Technology for Economic
and Clinical Health Act (“HITECH Act”) amended
HIPAA relating to electronic health records, breach
notification, increased penalties and enforcement
Generally effective beginning February 17, 2010
Key Change #1: Applicability of
HIPAA Privacy & Security Rules to
Business Associates
 Business Associates (BAs) are now required to
directly comply with the HIPAA Privacy and
Security Rules similar to Covered Entities.
 BAs directly subject to HIPAA’s civil and criminal
penalties for HIPAA Privacy and Security Rule
violations.
 BAs previously bound only by terms of business
associate agreements; breach of contract action by
Plan only avenue to address violations.
Key Change #2: The Breach
Notification Regulations
 Prior to HITECH, no legal requirement to
affirmatively notify participants of incident involving
the unauthorized use or disclosure of PHI; only
required to inform participants if they asked.
 New regulations make breach notification
requirements effective as of September 23, 2009,
and subject to sanctions for violations any time on
or after February 22, 2010.
A Breach Involving PHI
A “Breach” occurs if:
•
•
An unauthorized access, use or disclosure of PHI
occurs, and
The access, use or disclosure compromises the
security or privacy of the PHI.
•
Security or privacy is compromised if the use or disclosure
“poses a significant risk of financial, reputational or other harm
to the individual.”
If an unauthorized use or disclosure is discovered, the
Plan must perform a risk assessment to determine if
the use or disclosure poses a significant risk of harm,
thereby requiring notification.
Exemptions from Breach
Notification Requirements
 “Secured” PHI
 Encrypted (if electronic PHI)
 Destroyed (if paper PHI)
 A “Limited Data Set” with zip codes and birth dates
removed
 Certain disclosures between HIPAA covered entities and
workforce members who have a duty to protect the
information
Required Action Steps in the
Event of a Breach
Discovery of the Breach
 Breach is considered discovered as of the 1st day of the
breach being known by the Plan (or its agent), or when,
by exercising reasonable diligence, it would have been
discovered.
 Knowledge of a breach by a workforce member or agent
(BA) is attributed to the Plan
 Time period begins to run upon knowledge of event
occurring, even before risk assessment completed to
determine if harm could result from incident.
Notification of Breach to
Individuals
 Once privacy or security incident is discovered, Plan
must complete a risk assessment to determine if harm to
individuals could result from incident.
 Factors to consider – who, what, why, when, how? Subjective
analysis.
 If harm possible, notification by Plan directly to
individuals affected by breach is required no later than
60 calendar days after discovery of the breach.
Notification to Media Outlets and
Secretary of HHS
 If Plan does not have contact information for 10 or
more affected individuals, then Plan must post a
conspicuous notice in major print or broadcast media in
geographic areas where the individuals affected by the
breach likely reside.
 If more than 500 residents of a state, Plan must notify
prominent media outlets of the breach. (This is in addition
to the individual notices mentioned above).
 If more than 500 individuals’ PHI involved, then the Plan
must immediately notify the Secretary of HHS of the
breach; if less than 500 individuals’ PHI involved, Plan still
must notify HHS, but may wait until 60 days after the end
of the calendar year.
Key Change #3: Heightened
Civil Enforcement
 Under HITECH, civil penalties for HIPAA
violations have increased, and HHS is required
to investigate complaints of privacy and security
breaches.
 HHS has announced HIPAA audit initiative
 Penalty Regulations effective on November 30,
2009, and apply to violations after February 17,
2010
New Penalty Structure under
Interim Final Regulations
 Plan Unaware of Violation: minimum civil penalty is $100
per violation
 Violation Due to Reasonable Cause: minimum is $1,000
per violation
 Violation Due to Willful Neglect; Corrected Within 30
Days: minimum is $10,000 per violation
 Violation Due to Willful Neglect; Not Corrected: minimum
is $50,000 per violation
Each level of penalty carries with it a maximum of $50,000 per
violation, and an overall limit of $1,500,000 for identical violations in
a calendar year.
Criminal Liability Also Possible
 Plan employees (as well as business
associates) who obtain or disclose PHI without
authorization may also be criminally liable.
 Criminal liability generally extends to intentional
harmful conduct for profit or personal gain.
Key Change #4: Additional Legal
Remedies for Breaches
 In addition to criminal and civil penalties, the new law
creates additional remedies:
 State Attorney General may bring action for injunctive relief or
damages on behalf of state residents adversely affected by
HIPAA violation
 Connecticut AG recently announced legal action for injunction/civil
penalties against Health Net based on missing computer disk drive,
and failure to take prompt action to mitigate/notify
 Individuals may be awarded a percentage of civil monetary
penalties collected for violations
Key Change #5: Increased
Restrictions and Individual Rights
 “Minimum Necessary” disclosures restricted to “Limited
Data Set unless impracticable; regulations expected
 “Health Care Operations” definition will be modified to
further restrict disclosures for TPO; regulations expected
 Increased restrictions on marketing and sale of PHI
 Changes made to individual rights –
 Additional restrictions on provider disclosures to health plans (cash
payments)
 Changes related to Electronic Health Records (“EHRs”)
 If EHRs used, Plan must account for all uses and disclosures
 Requires Plans to provide PHI electronically if EHRs used
Task List: Steps for
HIPAA/HITECH Compliance
 Revisit plan documents to ensure HIPAA required
amendments are in place, and reissue Privacy Notice if
necessary (required every 3 years).
 Revise HIPAA policies to incorporate HITECH
provisions, risk assessment and breach notification
requirements, OR implement up-to-date HIPAA policies
for all group health plans if not previously adopted.
 Revisit Security Rule requirements to ensure
administrative, technical, and physical safeguards in
place, OR implement Security Rule requirements for
ePHI if not previously completed.
Task List: Steps for
HIPAA/HITECH Compliance
• Encrypt or password protect ePHI wherever practicable;
review company policies for laptop computers and
PDAs.
• Identify and conduct training of workforce members
handling PHI, provide additional training for new HITECH
Act provisions.
• Review workforce sanction policy (or implement if
needed).
 Ensure that Business Associate agreements are in place
with all service providers handling PHI for the Plan, and
that those agreements are updated for HITECH.
QUESTIONS???
CONTACT INFORMATION
 Katy Stowers
[email protected]
(317) 238-6257
 Kristen Gentry
[email protected]
(317) 238-6288