Transcript Slide 1

Overview of the Omnibus Final
HIPAA Rule
Kohler HealthCare Consulting, Inc.
Deanna Turner
410.461.5116
Goals for Session
Define the statutory timeline and reasons for changes to
the final HIPAA (Health Insurance Portability and
Accountability Act) Rule
Provide an overview of the changes in the final Rule
Highlight responsibilities and requirements of expanded
pool of Business Associates (BA)
Summarize new and expanded individual rights
Outline changes to “Breach Notification”
Provide advice on “Next steps”
Overview of the Omnibus Final HIPAA Rule
2
Background: Statutory Timeline
January 17, 2013: Omnibus Rule announced by the Office of Civil
Rights of the U.S. Department of Health and Human Services
(HHS)
– Largest expansion of the HIPAA privacy, security,
enforcement and breach notification efforts in at least a
decade.
March 26, 2013: Effective date of Omnibus Rule (60 days after
publication in the Federal Register).
September 23, 2013: Date by which covered entities and business
associates must comply with the requirements (180 days after
the effective date).
Now is the time to determine whether these changes will affect
your business relationships!
Overview of the Omnibus Final HIPAA Rule
3
Background:
Why the Changes?
Updates and clarifies obligations that were enacted in
February, 2009 by HITECH Act
Changes are designed to advance health information
technology and incentivize use of electronic health data
and information
Consumer-based focus with orientation toward active
enforcement
Most sweeping changes since the law was first
implemented
Goal: Improve patient privacy and security protections, and
increase penalties for non-compliance
Overview of the Omnibus Final HIPAA Rule
4
Background:
What’s Changed?
Expansion of responsibilities, extension of obligations, and
increased liability of business associates and covered entities;
Tightening of limits on the use and disclosure of protected health
information (PHI) for marketing and fundraising purposes;
Strengthening of individuals' rights and control over their PHI
(access, disclosures);
Establishment of new required authorizations for individuals’ PHI
information (sale, research, decedent data);
Modifications to Notice of Privacy Practices;
Lowered “threshold of harm” related to breaches and increased
obligations regarding breach notifications; and
Enhancement of provisions related to enforcement and penalties
for non-compliance
Overview of the Omnibus Final HIPAA Rule
5
Business Associates and Enhanced
Requirements
Business Associates (BA) are partners and vendors that
perform work on behalf of a covered entity
HHS has added the word “maintains” to the previous
definition to clarify that entities that store or maintain PHI
are business associates
Includes the HITECH Act-mandated specific inclusion of:
– Entities that provide data transmission services to
covered entity; and
– a person that offers a personal health record to one or
more individuals on behalf of a covered entity.
Overview of the Omnibus Final HIPAA Rule
6
Business Associates and Enhanced
Requirements
Entities are Business Associates if they create, receive,
handle, maintain, transmit or store PHI, even if they do not
actually view the PHI
INCLUDES
DOES NOT INCLUDE
Health Plans
 Companies that serve as
Third Party Administrators
conduits for PHI
E-Prescribing Gateways
 Internet service providers
Billing Companies
 Courier services
Technology Vendors
Personal Health Record Vendors
Overview of the Omnibus Final HIPAA Rule
7
Business Associates and Enhanced
Requirements
A subcontractor is defined as a “person to whom a
business associate delegates a function, activity, or
service, other than in the capacity of a member of the
workforce of such business associate”.
Previously: It was unclear that privacy and security
rules added by HITECH extended to subcontractors
Now: Subcontractors are specifically included in the
modified definition of “business associate”
RESULT: Government has the authority to penalize
BOTH business associates and subcontractors!
Overview of the Omnibus Final HIPAA Rule
8
Direct Liability of Covered Entities and
Business Associates
Covered entities and business associates are directly liable
for violations including:
– Compliance with the HIPAA Security Rule’s
administrative, physical and technical safeguards
– Impermissible uses and disclosures of PHI and certain
other requirements under the Privacy Rule
– Notification of a breach of unsecured PHI
– Compliance with documentation requirements including
executing business associate agreements
– Failing to disclose PHI when required to determine
business associate’s compliance.
Overview of the Omnibus Final HIPAA Rule
9
Direct Liability of Covered Entities and
Business Associates
Both covered entities and business associates are liable
for the violations due to the acts or omissions of their
agents (subcontractors).
- Not all business associates are automatically agents of
covered entities and not all subcontractors are agents of
covered entities.
– Liability depends on whether there is an agency relationship
and whether the act or omission was within the scope of the
agency.
Covered entities and business associates are required
to obtain “satisfactory assurances” through execution
of agreements with their business associates and
subcontractor business associates.
Overview of the Omnibus Final HIPAA Rule
10
Business Associates Obligations
The Omnibus Rule clarified that business associates
must:
– Comply with the terms of a business associate agreement
related to the use and disclosure of PHI;
– Provide PHI to the Secretary upon demand;
– Provide an electronic copy of PHI available to an individual (or
covered entity) if an individual requests;
– Make reasonable efforts to limit PHI to the minimum
necessary to accomplish the intended purpose of the use,
disclosure, or request; and
– Enter into business associate agreements with subcontractors
that create or receive PHI on their behalf.
Overview of the Omnibus Final HIPAA Rule
11
Expanded Individual Rights:
Use of PHI
Tightened limitations on use and disclosure of PHI for marketing
purposes
Requires covered entities to obtain authorization from individuals
if covered entity receives payment for producing or distributing
materials
Communications allowed without authorization but recipient
must “opt out”:
– Case Management
– Care Coordination
– Therapies
– Alternative Treatments or Providers
– Prescription reminders (as long as remuneration is limited to
reasonable costs)
Overview of the Omnibus Final HIPAA Rule
12
Expanded Individual Rights:
Sale of PHI
Sale of PHI is prohibited without individual authorization
unless:
– Used by a public health agency for treatment and
payment; OR
– Other allowed disclosures such as normal disclosures to
business associates
Authorization must be worded clearly so that individuals
can make informed decisions
Authorization must include the fact that covered entity will
receive payment for disclosures
Overview of the Omnibus Final HIPAA Rule
13
Expanded Individual Rights:
Patient Requests for PHI
Individuals can request that a covered entity provide
electronic copies of their health information
Covered entities that maintain electronic records must
provide PHI in the format requested by the individual if
readily producible
If not readily producible, the information must be provided
in a readable electronic format agreed to by both the
covered entity and the individual
Covered entities may not charge more than the cost of
labor and materials required to provide the electronic
records
Overview of the Omnibus Final HIPAA Rule
14
Expanded Individual Rights:
Patient Requests for Restrictions on Disclosures
Individuals can request that a covered entity not disclose to
the individual’s health plan information concerning
treatment for which the provider has been paid out-ofpocket in full
Prior: Covered entities were not required to agree to such
a request
Now: Covered entities will need to employ some method to
flag the individual’s record with respect to PHI that has
been restricted to ensure that such information is not
inadvertently sent or made accessible to the health plan
Overview of the Omnibus Final HIPAA Rule
15
Expanded Individual Rights:
Use of PHI for Research
Created simplified and streamlined process of gaining
individual authorizations for use of PHI
Prior: Researchers were obligated to ask for permission for
each distinct use of PHI
– Added unnecessary complexity and confusion to process
of obtaining consent
Now: Covered entities can ask individuals to consent to
share PHI for a particular research study and, by extension
use the consent for related research purposes
– Example: Obtain consent to share PHI and also use same consent
for creation of a database to store and allow for querying of
information
Overview of the Omnibus Final HIPAA
Rule
16
Expanded Individual Rights:
Use of Genetic Information
Enhanced privacy protections for genetic information
– Required by Genetic Information Nondiscrimination Act
Clarifies that genetic information is considered health
information for purposes of HIPAA
Prohibits health plans from using or disclosing genetic
information that can be used for underwriting purposes
– Exception: Issuers of long-term care policies
Insurers must communicate this to consumers in Notice of
Privacy Practices
Overview of the Omnibus Final HIPAA Rule
17
Expanded Individual Rights:
Privacy Practices
Covered entities must modify and redistribute Notices of
Privacy Practices (NPPs) to include announcements
regarding new privacy practices
Revised NPPS must include:
– New authorization requirements around the sale and
marketing of PHI
– Breach notification responsibilities of the covered entity
– Right to “opt out” of fundraising and marketing
communications
– Right of patients to be able to request disclosure
restrictions on out-of-pocket payments to providers
Overview of the Omnibus Final HIPAA Rule
18
Data Breaches by the Numbers
94% of healthcare organizations suffered a data breach in
past two years
– Of those, 45% suffered more than 5 such incidents
Average economic impact of data breach in 2011 and 2012
for healthcare organizations was $2.4 million
– $400,000 greater than 2010
– Aggregate annual cost: $7 billion
Average number of lost or stolen records per breach: 2,769
And these numbers are going to increase with the new
changes……
“Third Annual Benchmark Study on Patient Privacy and Data Security”, ID Experts Corp, 2012
Overview of the Omnibus Final HIPAA Rule
19
Changes to the Breach Notification
Framework
The HITECH Act of 2009 established a statutory
requirement for breach notification
Notification was required when more than 500 individuals
were affected.
Breach = “the acquisition, access, use, or disclosure of PHI
in a manner not permitted which compromises the security
or privacy of the protected health information.”
Compromises = “poses a significant risk of financial,
reputations, or other harm to the individual
Overview of the Omnibus Final HIPAA Rule
20
Changes to the Breach Notification
Framework
Burden of proof regarding breaches has now shifted
“Threshold of harm” has been lowered
It is now presumed that any acquisition, access, use or
disclosure of PHI not permitted under the HIPAA Privacy
Rule is a breach, regardless of individuals affected.
Exception: If a covered entity or business associate can
demonstrate that “there is a low probability that the [PHI]
has been compromised based on a risk assessment”
Overview of the Omnibus Final HIPAA Rule
21
Changes to the Breach Notification
Framework
Business associates that experience a breach must provide
notice of unsecured PHI to its covered entity “without
reasonable delay and in no case later than 60 days
following the discovery of the breach”
Incidents that may not have been considered serious risks
in the past will now need to be reported to the affected
individuals and the Office of Civil Rights (OCR)
New threshold is stricter but intended to be more objective
and easier to interpret and apply
Overview of the Omnibus Final HIPAA Rule
22
Breach Notification - Risk Assessment
Risk assessment can be used to demonstrate that
there is a low probability that PHI has been
compromised
Risk Assessment must include consideration of the
following factors:
– The nature and extent of the PHI involved, including the types
of identifiers and the likelihood of re-identification;
– The unauthorized person who used the PHI or to whom the
disclosure was made;
– Whether the PHI was actually acquired or viewed; and
– The extent to which the risk to the PHI has been mitigated.
Overview of the Omnibus Final HIPAA Rule
23
Breach Notification
Prepare your organization to minimize your risk of breach!!
HHS stated in the Omnibus Rule that it will issue future
guidance on risk assessments associated with breaches,
however no time line was given.
Organizations should begin by focusing on identifying gaps
in compliance that led to past incidents and closing those
gaps.
Overview of the Omnibus Final HIPAA Rule
24
Enhanced Enforcement
Final rule solidifies and enhances provisions related to:
– Compliance reviews and investigations
– Imposition of civil monetary penalties
– Procedures for hearings
Maximum penalty for noncompliance due to negligence has also
been increased to $1.5 million per violation
Requires HHS Secretary to conduct a compliance review
whenever a preliminary review of a complaint indicates a possible
violation of an organization (covered entity or business
associate) due to willful neglect
HHS has leeway in deciding amount of fine and can base decision
contributing factors (e.g. past complaints, nature of harm, etc.)
Overview of the Omnibus Final HIPAA Rule
25
Enhanced Enforcement: Penalties
Criteria for Determining
Penalty
Violator did not know and
could not have been
expected to know
There was “reasonable
cause” and no “willful
neglect”
There was “willful neglect”
and violation was corrected
There was “willful neglect”
and violation was not
corrected
Minimum Penalty
(Per Violation Cap)
Maximum Penalty
(Per Violation Cap)
$100/$25,000
$50,000/$1,500,000.
$1,000/$100,000
$50,000/$1,500,000.
$10,000/$250,000
$50,000/$1,500,000.
$50,000/$1,500,000.
No specified maximum
Overview of the Omnibus Final HIPAA Rule
26
Next Steps for Covered Entities and Business
Associates
Gap Analysis
– Conduct a gap analysis between current policies and procedures
and the new requirements
• determine what changes are needed,
• implement those changes as soon as reasonably possible.
– Identify and document business associates under the new
definition,
– Business associates should identify and document their
subcontractors
• confirm business associate agreement obligations and exposure
to liability for noncompliance
Overview of the Omnibus Final HIPAA Rule
27
Next Steps for Covered Entities and Business
Associates
Business Associates
– Create a separate set of policies and procedures to comply
with these new rules.
– Business associates are not required to have their own privacy
policies and procedures or train their workforce on privacy
rules, but it is strongly recommended.
– Business associates that discover a breach must report it to
the covered entity, and a subcontractor must report a breach
to a business associate.
– Ultimately, the covered entity has the obligation to notify
affected individuals of a breach, even if the breach occurred
under the business associate, and even if the responsibility to
notify has been delegated to the business associate.
Overview of the Omnibus Final HIPAA Rule
28
Next Steps for Covered Entities and Business
Associates
Breach Notification
– Organizations should review and revise their breach notification
policies, procedures and breach response plans.
– Covered entities are required to notify all affected individuals as
soon as possible.
• 60 days is the outer limit
• OCR treats a breach as “discovered” when the entity becomes
aware of the breach, or
• Should have gained knowledge of the breach through due
diligence.
– The “discovery” standard applies to employees and agents of the
covered entities, including business associates.
Overview of the Omnibus Final HIPAA Rule
29
Next Steps for Covered Entities and Business
Associates
Workforce Training
– Provide additional training and awareness communications to
personnel about the new requirements.
– Plan a training session with all personnel sometime in the near
future, preferably before or near the March 26, 2013 effective date
of the Omnibus Rule.
– Establish a way to monitor compliance by Business Associates and
risks on an ongoing basis, enabling quick identification and
mitigation of problems.
Overview of the Omnibus Final HIPAA Rule
30
Next Steps for Covered Entities and Business
Associates
Review and Amend Business Associate Agreements
– update policies and procedures,
– review and, if needed, amend existing business associate
agreements to comply with the new requirements.
OCR recently posted sample business associate agreement provisions
on its website:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/con
tractprov.html
– The language may also be adapted for a contract between a
business associate and its subcontractor.
– The template provisions are a helpful starting point, but additional
revisions are advisable, such as detail regarding mitigation in the
event of a breach.
Overview of the Omnibus Final HIPAA Rule
31
Next Steps for Covered Entities and Business
Associates
Revise and distribute new notices of privacy practices to individuals informing
recipients of the following:
– the new prohibition against health plans using or disclosing genetic
information for underwriting purposes;
– the prohibition on the sale of protected health information without express
written authorization of the individual, including other uses and disclosures
such as marketing and disclosure of psychotherapy notes;
– the duty of a covered entity to notify affected individuals of a breach;
– the individual’s right to opt out of receiving fundraising communications;
and
– the individual’s right to restrict disclosures of protected health information
to a health plan where the individual paid out of pocket in full.
Overview of the Omnibus Final HIPAA Rule
32
Questions?????
Overview of the Omnibus Final HIPAA Rule