Transcript Local Human Services Organization and Governance

HIPAA Update:
New Rules, New Challenges
Jill Moore
April 2013
New Rules
Business
Associates
Breach
Notification
Individual
Rights
Enforcement
Business Associates
• A person or entity that creates, receives,
transmits, or maintains PHI in the course of
providing business or administrative functions
for a covered entity
– Includes HIOs, HIEs, PHR vendors who work on
behalf of covered entity
– May include researchers in some circumstances
(not automatic – analyze the particular situation)
Business Associates
• Changes to BA responsibilities
– Now directly responsible for HIPAA compliance
and directly liable for violations
– Must identify their own BAs (subcontractors) and
enter BA agreements with them to assure
“downstream” compliance
Business Associates
Review your business relationships to identify
BAs or BA-like relationships within your entity
Review hybrid entity
designation to ensure
those acting in BA-like
capacity are part of
covered component
You may need
to dust off your
Execute or update BA agreements
HIPAA jargon
dictionary.
Breach Notification
• Must notify individuals of security breaches.
• Unauthorized access or disclosure is
presumed to be a breach unless:
– A specific exception in the rule applies, or
– A risk analysis shows a low probability that PHI
was compromised, or
– You’re in a “safe harbor” as defined by the rule.
Breach?
Specific exceptions
Risk analysis factors
• PHI could not reasonably be
retained
• PHI access is unintentional
and by a workforce member
or business associate acting
in good faith
• Inadvertent disclosure is
made to another person
within the CE or BA who is
authorized to access PHI
• Nature and extent of PHI,
including types of identifiers
& likelihood of reidentification
• Unauthorized person who
received disclosure or used
PHI
• Whether PHI was actually
acquired and viewed
• Extent to which any risk to
PHI has been mitigated
Safe Harbor
• Don’t have to notify if:
– PHI was encrypted, or
– PHI was disposed in
keeping with HHS
guidance on secure
disposal
Recipients & timing of notice
• Affected individuals – within 60 days
• US DHHS – if > 500 individuals involved, contemporaneous
notice; otherwise annual report
• Media, if > 500 involved – within 60 days.
Content of notice
• Description of incident, PHI involved, advice to individuals to
minimize harm, actions you’ve taken to investigate and
mitigate, contact information for more info.
Method of notice
• Written letter (standard); email if prior agreement to email
notification obtained; telephone if urgent (but also send
written)
Breach Notification
Review and update breach notification
procedures to reflect new risk analysis.
Follow procedures developed under old rule
until September 23, then you must follow new
rule.
Individual Rights
• Restrictions on disclosures
• Access to electronic PHI
• Notice of Privacy Practices
• Other changes affecting decedents’ records,
immunization records for schools, a couple of
other things
Restrictions on disclosures
• Care paid out-of-pocket
– Upon patient request, no disclosures
of information to health plans
(insurance) unless disclosure to
health plan required by law
• Does not limit disclosures to public health
• Does not limit disclosures to other health care
providers for treatment purposes
Access to electronic PHI
• Individuals have a right of access to their own
PHI.
• If patient requests PHI in electronic form, must
provide it if you already maintain the information
electronically and the form requested is “readily
producible.” If not readily producible, must reach
agreement with individual on alternative form.
• Take a close look at the issue of providing PHI by
email.
Notice of Privacy Practices
• Must be revised to reflect rule changes, including:
– Covered entity’s legal duty to give notice of breaches.
– Right to request restriction of disclosure to health
plans for care paid in full out-of-pocket.
• Revised Notice must be disseminated:
– To new clients, in accordance with current policies
– To existing clients on request
– Via website, if you have one
Individual Rights
Develop a policy about requests for
restrictions on disclosure for care paid for in
full out-of-pocket.
Review and if necessary update policies about
individual access to PHI to address electronic
access and the use of email to deliver PHI.
Revise Notice of Privacy Practices and
disseminate.
Enforcement
• New: HHS must investigate violations if a
preliminary review of the facts suggests
“willful neglect” by the covered entity or BA.
Practice
tip!!
In an investigation, expect
HHS to request copies of
your policies. You will want
them to be readily accessible
and up-to-date.
Checklist
 Review business relationships and update hybrid entity
designation and business associate agreements.
 Update breach notification policies and procedures.
 Update policies re individual access.
 Update notice of privacy practices and disseminate.
 Review other policies (training, workforce, etc.) and
update if needed.
 Compliance date:
 September 23, 2013 for most matters
 September 22, 2014 for some existing BA agreements