hipaacow.org
Download
Report
Transcript hipaacow.org
HIPAA Regulations
Update
What Covered Entities And Business Associates
Actually Have To Do And When They Have To Do It
HIPAA COW
Fall Conference, October 15, 2010
Sarah Coyne and Tom Shorter
1
Breach Notification
We talked about this last year.
Covered entities and business associates
must notify patients and DHHS in the
event of a breach
Ways to get off the reporting train
Interim final rule still in effect – published
August 24, 2009 (final rule drafted,
released, withdrawn on July 28, 2010).
2
An Endpoint!
PHI of patients deceased more than 50
years is no longer protected under HIPAA
(under proposed rules)
3
AHA Data Shows Poor Hospital
Compliance With HITECH
2010 AHA survey of compliance officers
85% hospitals not HITECH-compliant
41% of hospitals have 10 or more data
breaches annually
4
Family and Friends
Like Wisconsin, proposed HIPAA rules
clarify that certain disclosures to friends
and family are permissible
Wisconsin – may release a "portion but not
a copy" if any of the following:
patient agrees
emergency,
family/ close friend notification
family/ close friend involved in care
5
Redisclosure
Original HIPAA stands: no protection for
records redisclosed by recipient.
Wisconsin - No redisclosure unless:
Patient authorizes
Court orders
Consistent with original purpose of disclosure
6
Minimum Necessary
Current Law
Uses, disclosures, and requests should be
limited to a limited data set, when practicable
If limited data set is not practicable, should be
limited to the minimum necessary to achieve the
purpose of use/disclosure
The CE or BA disclosing gets to make the call on
what is the minimum necessary
7
Minimum Necessary
Proposed Rule
Proposed rule did NOT provide new
requirements to the minimum necessary
rule – so we are still stuck with the default
of a limited data set for now
Solicited comments on what guidance
would be helpful to CEs and BAs
8
Minimum Necessary
What Do We Need To Do?
Revise BAAs and Privacy Rule policies
and procedures to limit use, disclosures,
and requests to a limited data set (where
practicable)
May need to revise again when new
provisions come out - some CEs have chosen
to wait for further guidance to revise BAAs
Make sure workforce members are aware
of changes to minimum necessary rule
9
Marketing
Current Law
Three exceptions to the definition of
"marketing"
Communications made to describe a
health-related product or service provided
by the CE
Communications made for treatment
Communications for case management
or care coordination, or to direct or
recommend alternative treatments,
therapies, providers or settings of care
10
Marketing
Current Law
Communications that previously fell out of
the definition of "marketing" may now
constitute marketing if the CE receives
payment from a third party for making the
communication (and will require patient
authorization)
11
Marketing
Current Law
Limited exceptions
A communication describing only a drug or
biologic the recipient is currently prescribed
(payment must be reasonable)
A communication made by a BA on behalf of
the CE (and the communication does not
violate the BAA)
A communication pursuant to a valid patient
authorization, if the communication is made
by the CE (obviously)
12
Marketing
Proposed Rule
Subsidized treatment communications do
not require authorization BUT they are
subject to notice and opt-out
Opt-out must be in the communication, must
be relatively easy to opt out
NPPs must contain statement about
subsidized treatment communications
13
Marketing
Proposed Rules
Only specified HCO communications
require authorization if CE receives
financial remuneration in exchange for
making the communication
Rule attempts to clarify differences between
HCO and treatment communications
Defines "financial remuneration"
14
Marketing
Proposed Rule
Subsidized refill reminders and other
communications about currently
prescribed drugs/biologics do not require
authorization (payment must be
reasonable)
Face-to-face communications and
promotional gifts of nominal value still
permitted
15
Marketing
What Do We Need To Do?
All arrangements where a CE receives
remuneration from a third party to make
patient communications must be reviewed
to see whether an authorization is required
Evaluate whether an exception applies
If an exception does not apply, you will
need a patient authorization
16
Fundraising
Current Law
Must provide clear and conspicuous
opportunity to opt-out of any further
fundraising communications
Strict compliance with the opt-out, no more
reasonable efforts to comply
An individual's choice to opt out must be
treated as a revocation of authorization
17
Fundraising
Proposed Rule
Minor clarifications
Each fundraising communication to patient must
include clear and conspicuous opt-out
CE may not condition treatment or payment on an
individual's decision
If individual opts out, CE may not send further
fundraising communications
Statement in NPP still required
Request for comment on PHI to be used in
fundraising communications
18
Fundraising
What Do We Need To Do?
Implement system for tracking opt-out
decisions
Ensure all fundraising communications
have clear opt-out process
Opt-out process may include phone or
email option but requiring individuals to
write a letter may be an "undue burden"
19
Accounting From EHR For TPO
Current Law (sort of)
HITECH Act requirements are not yet effective
If you had EHR as of 1/1/09, effective date is 1/1/2014
If you adopted an EHR after 1/1/09, the effective date
is the later of 1/1/11 or the date the EHR is acquired
As of the applicable effective date, if you have
EHR, must account for disclosures made
through EHR for treatment, payment, and health
care operations
Must account for such disclosures for past three
years (as opposed to six years for other
accounting requirements)
20
Accounting From EHR For TPO
Current Law (sort of)
Covered entities have the option of either:
Including the EHR disclosures made by their
BAs in the same accounting of disclosures
report, or
Providing a list of their BAs who would then
be required to provide an accounting to the
patient (must include the contact information)
21
Accounting From EHR For TPO
Current Law (sort of)
HITECH Act required creation of regulations
addressing what information should be collected
for accountings through EHR
Regulations should only require information that
takes into account:
The interests of the individuals in learning the
circumstances under which their PHI is being
disclosed, and
The administrative burden for such accountings
22
Accounting From EHR For TPO
Proposed Rule (not yet)
Proposed rule was anticipated in June,
2010…didn't happen
Little guidance available on what
information will be required for these types
of accountings
23
Accounting From EHR
What Do We Need to Do?
Cross your fingers that the government
proposes a reasonable rule…
If you are going to purchase and implement an
EHR, make sure it has accounting capabilities
If you already have an EHR, start to work with
your vendor on how to meet the accounting
requirements if it doesn't currently have this
functionality
24
Security Rule
Risk Analysis Guidance
Guidance is based on NIST
recommendations
Recognizes that the risk analysis methods
will vary based on size, complexity, and
capabilities of the organization
The result of the risk analysis determines
how the CE should approach the
implementation specifications –
particularly addressable ones
25
Security Rule
Risk Analysis Guidance
Elements of a risk analysis:
Determine scope of risk analysis
Identify where e-PHI is stored, received, maintained,
transmitted
Identify threats and vulnerabilities
Assess current security measures
Determine the likelihood that a threat will occur
Determine potential impact of potential threats
Assign a risk level to identified threats/vulnerabilities
Document assessment
26
Security Rule
Risk Analysis Guidance
Must document risk analysis process
Document assigned risk levels and a list of corrective
actions to be performed to mitigate each risk level
Documentation helps justify decision for addressable
standards
Must periodically review and update the risk
assessment – ongoing process
Frequency will vary among CEs
Should be performed as technologies and business
operations change
27
Risk Analysis Guidance
What Do We Need To Do?
Make sure you have documented your risk
analysis
Make sure your addressable implementation
specifications align with results of the risk
analysis
Make sure you periodically review and update
your risk analysis (don't forget remote users and
portable devices!)
Update your security safeguards if necessary
28
Security Safeguard Trends
Encryption continues to become more and
more important:
Encryption = exception to breach notification
PHI is rendered unusable, unreadable, or
indecipherable if NIST encryption standards for
data at rest and in motion are followed
Not all encryption technology meet NIST standards
– check your technology
Final Certification Rule = EHR certification
requires encryption capabilities
29
Security Safeguard Trends
Destruction of PHI
Exception to security breach notification if PHI
has been destroyed as follows:
Paper, film, and other hard copy media are
shredded or destroyed so PHI cannot be read or
reconstructed (redaction is not sufficient)
Electronic media is cleared, purged, or destroyed
consistent with NIST standards on media
sanitization
30
Security Safeguard Trends
HHS to issue annual guidance on the most
effective and appropriate technical safeguards –
Risk Analysis was first in the series
For helpful Security Rule guidance, see:
http://www.hhs.gov/ocr/privacy/hipaa/administrati
ve/securityrule/securityruleguidance.html
Security Rule Educational Series
Relevant NIST Standards
Risk Analysis Guidance
Remote Use Guidance
31
Business Associates
Current Law
Under HITECH, Business Associates are
DIRECTLY liable for compliance with
Security Rule and uses and disclosures under
Privacy Rule
Requires affirmative compliance obligations –
details clarified somewhat in proposed rules
July 14 and will be further clarified in final
rules and other guidance.
32
Business Associates
NPRM
Expansion of definition of BA to include:
Health Information Organizations
E-Prescribing Gateways
Entities/individuals that
Provide data transmissions services with respect
to PHI AND
Require access on a routine basis to that PHI
Definition will not include “conduits” only
accessing PHI on a random or infrequent
basis
33
Business Associates
NPRM
Definition of BA will include
SUBCONTRACTORS!
Endless downstream flow of obligations
34
Business Associates
NPRM
Reference patient safety activities
Except certain entities from the BA
Agreement requirement, including:
Some governmental agencies that perform
enrollment and eligibility activities for another
governmental agency’s health plan
35
Business Associates
NPRM
Clarified liability of BAs
Will be directly liable for Security Rule
violations
Will be directly liable for impermissible uses
and/or disclosures under Privacy Rule
Failure to disclose to Secretary or provide eaccess
36
Business Associates
NPRM
Changes to liability of CEs
Will be liable for acts of BAs acting as CEs’
agents within scope of agency
37
Business Associates
Timing
Continue to enter into and comply with BA
Agreements
Comply with requirements in the HITECH Act now
Proposed rules contemplate general compliance
date of 180 days after effective date of final rules
Proposed rules contemplate a transition period
for BAA revision ending on the earliest of:
When the BA relationship is changed in any way after
240 days from publication of final rule
One year and 240 days after publication of final rule
38
Business Associates
Practical Guidance
Be prepared to act!
BAs will be required to have BA Agreements
with Subcontractor BAs
This is the BA's obligation, not the CE's
obligation (although practically speaking, CEs
should make sure it happens.)
39
Disclosing PHI to Health Plans
Current Law
45 CFR 164.506. A covered entity may, without
the individual’s authorization, use or disclose
protected health information for its own
treatment, payment, and health care operations
activities.
To avoid interfering with an individual’s access to
quality health care or the efficient payment for such
health care
A health care provider may disclose protected health
information about an individual as part of a claim for
payment to a health plan.
40
Disclosing PHI to Health Plans
Current Law
“Payment” is defined as the activities of health care providers to
obtain payment or be reimbursed for their services and of a health
plan to obtain premiums, to fulfill their coverage responsibilities and
provide benefits under the plan, and to obtain or provide
reimbursement for the provision of health care. Payment activities
include:
Determining eligibility or coverage under a plan and adjudicating claims;
Risk adjustments;
Billing and collection activities;
Reviewing health care services for medical necessity, coverage,
justification of charges, and the like;
Utilization review activities; and
Disclosures to consumer reporting agencies (limited to specified
identifying information about the individual, his or her payment history,
and identifying information about the covered entity).
41
Disclosing PHI to Health Plans
Current Law
A CE must limit disclosures of PHI for payment to the
Minimum Necessary
A CE must develop role-based access policies and
procedures that limit which members of its workforce
may have access to PHI for payment based on those
who need access for their jobs
A CE may choose to obtain an individual’s consent for it
to use and disclose information for payment
Individuals have the right to request restrictions on how a
CE uses and discloses PHI about them for payment. A
CE is not required to agree to an individual’s request for
a restriction, but is bound by any restrictions to which it
agrees.
42
Disclosing PHI to Health Plans
Proposed Regulations
CE must agree to individual’s request to
restrict disclosure of PHI to health plan if:
PHI pertains solely to health care for which
individual (or person on behalf of individual
other than health plan) has paid CE in full out
of pocket
Disclosure is not required by other law
43
Disclosing PHI to Health Plans
Proposed Regulations
CE cannot require individual to pay out of pocket
for all services if that individual wishes to restrict
disclosures regarding only certain services
If individual’s payment is not honored, and
payment issue cannot otherwise be resolved
with individual, covered entity may submit PHI to
health plan for payment
NPRM requests public comment to resolve
various operational issues
44
Enforcement
Current Law
Sections 13409, 13410 and 13411 of the
HITECH Act:
Criminal penalties for individuals such as employees
Noncompliance due to “willful neglect”
Distribution of certain Civil Monetary Penalties
Tiered increases in Civil Monetary Penalties
Enforcement by State Attorneys General
Audits
45
Enforcement
Current Law
Enforcement Interim Final Rule (IFR)
Published Oct. 30, 2009; Effective November 30, 2009
Implemented Section 13410(d) of the HITECH Act by:
Setting four categories of violations reflecting increasing
culpability
Setting four corresponding tiers of penalty amounts, increasing
minimum penalty amounts
Establishing a maximum penalty amount of $1.5 million for all
violations of an identical provision
Revised affirmative defenses
Providing a prohibition on the imposition of penalties for any
violation corrected within 30 days, if the violation was not due to
willful neglect
46
Enforcement Under NPRM
Incorporates "willful neglect" and gives
definition
Mandates certain investigations
Increases ability of HHS to see PHI for
enforcement investigations
Gives definition to factors considered in
investigation
47
Enforcement Under NPRM
OCR will investigate if preliminary
investigation indicates “willful neglect”
OCR not required to seek informal
resolution before proceeding to formal
enforcement
Revised definition of “reasonable cause”
Guidance as to categories of culpability in
preamble
48
Enforcement
Actions to Take Now
Develop and implement HIPAA-compliant policies
and procedures
Properly secure PHI to access the Breach Notification
safe harbor
Complete self-audits to confirm PHI is protected
If a violation is discovered, act quickly to discontinue
and correct
Strengthen complaints process to resolve cases prior
to federal claim
Observe HIPAA’s relevant remediation requirements
49
De-Identification
Current Law
De-identification under 45 CFR §164.514 (b)
Statistical approach:
a qualified statistical or scientific expert concludes,
through the use of accepted analytic techniques, that
the risk the information could be used alone, or in
combination with other reasonably available
information, to identify the subject is very small.
50
De-Identification
Current Law
“Safe Harbor” approach permits a covered
entity to consider data to be de-identified if
It removes 18 types of identifiers (e.g., names,
dates, and geocodes on populations with less than
20,000 inhabitants)
It has no actual knowledge that the remaining
information could be used to identify an
individual, either alone or in combination with
other information.
51
De-Identification
Current Law – Safe Harbor
Must remove the following identifiers of the individual,
relatives, employers, and household members:
Names
All dates except year and ages
>89
Fax
SSN
Health plan #
Certificate/license #
Device IDs and Serial #s
IP address
Full face photo
Geographic subdivisions smaller
than state except for initial 3 of zip
if it contains > 20,000
Telephone #s
Email addresses
Medical Record #
Account #
VINs and Vehicle Serial #s
URLs
Biometric identifiers, i.e. finger or voice
prints
Any other unique ID #s, characteristics
or codes
52
De-Identification
2010 Workshop
OCR hosted a Workshop on the Privacy
Rule’s De-Identification Standard in March
2010
OCR will use information gained through
workshop to develop the guidance required &
supported by ARRA.
OCR accepted comments after posting
OCR promised guidance on its web site
All materials developed for workshop are
posted on OCR web site.
53
De-Identification
Practical Guidance
Even if fit within a safe harbor, are there other
sources of liability for sharing de-identified data?
If a CE or BA shares de-identified data, an agreement
between the parties should prohibit the recipient from
attempting to re-identify individuals.
Require security measures even for de-identified
information
Require use of limited access datasets
Require education of training of staff de-identifying data
54
Questions?
Sarah Coyne
(608) 283-2435
[email protected]
Quarles & Brady LLP
Tom Shorter
(608) 284-2239
[email protected]
Godfrey & Kahn, S.C.
55