changes to hipaa: how new privacy rules will affect your business

Polsinelli PC. In California, Polsinelli LLP

Changes to HIPAA - How New Privacy Rules will Affect Your Business

ALFA 2013: Conference and Expo Matthew J. MurerMay 7, 2013

2real challenges. real answers. sm

Faculty

Matthew J. MurerChair, National Healthcare PracticePolsinelli, PC(312) [email protected]


Important Final Omnibus Rule Dates and Deadlines

Publication Date: January 25, 2013(www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf)

Effective Date: March 26, 2013 Compliance Date: September 23, 2013 (unless

otherwise indicated)

Business Associate Agreement Compliance Date: September 22, 2014 (for “grandfathered” BAAs)


Overview of Key Modification Areas

Business Associates Breach Notification Rule Individual Rights

Right to Access Revisions to NPP Mandatory Right to Restriction

New Requirements for Uses/Disclosures Marketing “Sale” of PHI Prohibition on use of Genetic Information for Underwriting Research

Enforcement


HIPAA

1996

HITECHACT2009

PRIVACY RULE

SECURITY RULE

TRANSACTIONS RULE

BREACH NOTIFICATION RULE


The Basic HIPAA Privacy Rule -

A Covered Entity or its Business Associate may not use or disclose

Protected Health InformationProtected Health Information unless that type of use or disclosure

is specifically permitted by HIPAA


What is a Covered Entity? Health Care Providers– who transmit health information in electronic form in

connection with one or more designated standard transactions Health Plans

– individual or group health plans that provide or pay the cost of medical care

Health Care Clearinghouses– entities that process electronic health information from non-

standard to standard format, or vice-versa


What does it mean to be a Business Associate?

A Business Associate is a person or entity who provides services on behalf of a Covered Entity, if the services involve use or disclosure of Protected Health Information

*Covered Entities enter into Business Associate Agreements (BAAs) with Business Associates

Covered Entity

Lawyers, Actuaries

ConsultantsInsurance

Companies/

HMOs

Other Vendors


BUSINESS ASSOCIATE CHANGES, Part 1

Category of entities that will be considered Business Associates has been expanded to include:– Entities that transmit and need routine access to PHI

(such as HIOs and E-Prescribing Gateways)– PHR/EHR vendors who serve Covered Entities– Subcontractors who create, receive, maintain, or

transmit PHI for a Business Associate



Category of entities that are not included in new Business Associate definition are:– Health care provider who receives PHI from another

provider for treatment– Plan sponsors, with respect to disclosures by Group

Health Plans– Government agencies (determining eligibility)– OHCA participants– “Conduits” – transmission services w/ temporary storage

of PHI• Maintaining PHI (even without viewing) = BA• Impact on Cloud Vendors



Business Associates are now directly liable, and subject to OCR enforcement, for:– Impermissible uses and disclosures of PHI and ePHI– Failure to comply with the Security Rule

• Business Associates must have in place the same security measures as are now required of Covered Entities

– Failure to provide notification of breach to a Covered Entity



Business Associates are now directly liable, and subject to OCR enforcement, for:– Failure to provide access to PHI/ePHI to an individual as

necessary to satisfy CE’s obligations (i.e., if requested by CE)

– Failure to provide an accounting of disclosures (similar to current requirement)

– Failure to enter into BAAs with downstream subcontractors

– Failure to cooperate with HHS in any compliance investigation


Business Associate Changes, Issues of Agency

Potential Liability of CE or BA for “agents”– CE liable for BA violations if BA is agent under

federal common law and the act is within the scope of agency

– BAs will be liable for subcontractor’s violations under same circumstances



Federal Common Law of Agency– Is there an agency relationship

• Contract language AND facts/circumstances– Which party controls or has the ability to control – OCR says if CE can only control through amendment of

the BAA or by suing for breach, then BA not an agent



Federal Common Law of Agency– If there is an agency relationship, was the

conduct within the scope of the agency• Time, place, purpose of conduct and whether the

CE would reasonably expect the conduct• Ability of CE to control the conduct• Whether the conduct was the type that would be

expected to perform the service


BUSINESS ASSOCIATE CHANGES, Part 3COVERED ENTITY ACTION STEPS:1. Identify your Business Associates (BAs) and evaluate

agency issues2. Review and/or revise Business Associate Agreements

(BAAs) – consider indemnification, insurance, etc.- Existing BAAs (entered into prior to January 25, 2013) are “grandfathered” in until September 22, 2014 (unless modified before then)

3. Execute BAA with New BAs

BUSINESS ASSOCIATE ACTION STEPS:1. Determine if you are a BA; if so, review or execute BAAs

with CEs and subcontractors and evaluate agency issues2. Comply with HIPAA Security Rule (need Security Officer)3. Implement HIPAA Privacy Policies and Procedures


BREACH NOTIFICATION RULE

“Breach” means the acquisition, access, use or disclosure of Unsecured PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of such information.

Three exceptions:(1) Unintentional acquisition, access or use of PHI by a workforce

member in the scope of duties – no further access or disclosure(2) Inadvertent disclosure from one authorized person to another

within a CE/BA – no further access or disclosure(3) Disclosure of PHI where CE/BA has good faith belief that the

recipient cannot retain the information

New Rule did not change these provisions


BREACH NOTIFICATION RULE, cont’d

OLD STANDARD:– the breach “poses a significant risk of financial,

reputational, or other harm to the individual” (the risk of harm standard)

NEW STANDARD:– any unauthorized use or disclosure of PHI/ePHI that

does not meet one of the exceptions is presumed to be a “breach” UNLESS the CE/BA can demonstrate (through a written risk assessment) that there is a “low probability that the PHI has been compromised”Note: The term “compromise” is no longer defined.



Risk Assessment – Factors that must be considered:

– Nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification

– The unauthorized person who used the PHI or to whom the disclosure was made

– Whether the PHI was actually acquired or viewed

– The extent to which the risk to the PHI has been mitigated



CE/BA can decide to notify WITHOUT conducting a risk assessment No longer an exception for limited data sets Encryption and destruction are the only 2 methods to “secure” PHI –

which is exempt from notification requirements. See www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotification/brguidance.html

Notice to HHS (less than 500 records) has to occur within 60 days of the end of the year in which breach was “discovered,” not in which it “occurred”

Compliance required by September 23, 2013 – in the interim, HHS states to comply with old standard

Note: Must also consider applicability of state breach notification laws



ACTION STEPS:– Evaluate if encryption is feasible– Review/revise BAAs (which entity is going to provide

notice to individuals and bear costs)– Review/revise Notice of Privacy Practices (must state

individuals will be notified if there is a breach of their unsecured PHI)

– Revise policies and procedures to address new standard

– Train workforce members on the new standard and the importance of prompt reporting potential impermissible uses and disclosures


INDIVIDUAL RIGHTS

Individuals have a right to receive an electronic copy of their ePHI– Must provide ePHI in form or format requested if readily producible;

otherwise in a readable electronic form or format agreed to by parties

– Individuals can direct the copy to go to third person• Request must be in writing and signed

HHS Clarifications:– Providers not required to give direct access to their systems– ePHI linked data must also be provided– Can provide hard copy and ePHI, if record is mixed– Don’t have to use an individual’s flash drive, etc.– Unencrypted email acceptable if individual waives risk of interception– 30 days to provide records; 30 day extension upon notice– Charging for labor costs is acceptable, but consider state law; can

also charge for cost of electronic media, e.g., CD, USB drive


Individual Rights, Cont’d.

New Content in Notice of Privacy Practices– Statements that sale of PHI, marketing

communications and use/disclosure of psychotherapy notes require authorization

– Statement that individual can opt-out of fundraising communications

– Statement about individual’s right to receive breach notifications

– Statement about mandatory restrictions



New Content in NPP Specific to Health Plans– Statement that genetic information may not be

used for underwriting purposes• Applies to health plans that engage in underwriting

(excludes issuer of a long-term care policy)



Distribution of Revised NPPs– Must be distributed if “materially” revised– Health Plans may distribute by:

• Posting on website by the effective date of the change (i.e., September 23, 2013) and then including the new NPP in the next annual mailing OR

• Mailing the new NPP within 60 days of the change (i.e., within 60 days after September 23, 2013)


Individual Rights, cont’d

Individuals can restrict disclosures to health plans if PHI pertains to item or service for which individual paid out-of-pocket in full– Need to be able to flag or segregate portions

of medical record– Doesn’t apply if payment is dishonored (e.g.,

check bounces)– Individual must notify downstream providers


MARKETING

Marketing is a communication about a product or service that encourages purchase or use, EXCEPT does not include:– Refill reminders or other communication about a product currently

prescribed, but only IF payment received for making communication is reasonably related to cost

– Communications about treatment, case management, care coordination or a health-related product or service provided by the CE, but only IF CE does not receive direct or indirect payment for the communication from or on behalf of a third party whose product or service is being described

If a communication is “marketing,” it requires an authorization unless:– It is face-to-face (even if CE receives payment to do so)– Promotional gifts with small value

If marketing involves payment, authorization must state that payment is involved


MARKETING

Health Plan Action Item– Evaluate all subsidized communications

• E.g., adherence programs, disease management programs may be funded by manufacturers


FUNDRAISING

Individuals must be provided with a clear and conspicuous opportunity to opt-out of receiving fundraising communications (must include opt-out in Notice of Privacy Practices)

Applies equally to fundraising communications made in writing and over the telephone

Method for opt-out option in discretion of CE; however, it may not cause the individual to incur undue burden or more than nominal cost

Applies only if an individual’s PHI is used to make the communication – not merely if a communication is made


“SALE” OF PHI

General Rule: – Must obtain authorization if CE receives direct or indirect remuneration

(including nonfinancial) in exchange for the disclosure of PHI– Authorization must state that CE is receiving direct or remuneration in

exchange for the PHI Includes remuneration for access, license, or lease agreements

related to PHI Covers remuneration for the PHI (or access to the PHI), not for

services involving access to the PHI (e.g., HIE) Exceptions – public health activities, treatment and payment, sale of

CE, research capped at cost to prepare and transmit PHI, remuneration to BA for services, disclosures required by law, providing access or accounting to an individual, and permitted disclosures where CE only receives reasonable cost-based fee to prepare and transmit


GINA

Genetic Information is PHI Use or disclosure of genetic information

for underwriting purposes is prohibited (except long-term care plans)

Definitions are broad


GINA - Definitions

Genetic Information– Information about genetic tests of an

individual or family member (including fetus or embryo of either)

– Manifestation of a disease or disorder in family members of the individual

– Any request for, or receipt of, genetic services (genetic test, counseling or education) or participation in clinical research which includes genetic services


Genetic Information, cont’d.

“Genetic information” does not include information about the individual’s sex or age

“Genetic test” does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder or pathological condition


GINA - Definitions

Underwriting– Rules for, or determination of, eligibility

(including enrollment and continued eligibility) for benefits under the health plan, coverage or policy (including changes in deductibles or other cost sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program)


Underwriting – definition, cont’d.

Computation of premium or contribution amounts under the plan, coverage or policy (including discounts, rebates, payments in-kind or other premium differential mechanisms in return for activities such as completing an HRA or participating in a wellness program)


Underwriting – definition cont’d.

The application of any pre-existing condition exclusion

Other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits


Underwriting - Exclusion

Underwriting does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage or policy


RESEARCH

Authorizations for future research permitted– Must still meet all of the core elements required to be

in the authorization, including an expiration date or event (e.g., “end of research study” or “none”)

– Must adequately describe the purpose so the individual understands that his or her PHI could be used or disclosed for future research activities

Compound authorizations permitted in certain cases– Conditioned research versus unconditioned research

– opt in required Note for health plan research involving

genetic information, see GINA


Enforcement Prior to HITECH

Most violations resolved through voluntary compliance or settlement agreements– Not CMPs

No private right of action = no monetary recovery for individuals whatsoever

HIPAA was not a high compliance priority– Few government audits– Lack of penalties or negative consequences


Enforcement After HITECH

Heightened enforcement scheme– Increased penalties for Covered Entities (CE)

and Business Associates (BA)– State Attorneys General given new authority

to bring civil suit on behalf of state residents I.S. v. Washington University*

– Unlawful disclosure of PHI can be basis of per se state law negligence claim

*I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585 (E.D. Mo. June 14, 2011).


Attorney General Actions

New enforcement authority to bring suit– Obtain damages on behalf of state residents– Enjoin further violations

Cannot bring suit while HHS action for CMPs is pending

OCR’s HIPAA Enforcement Training– Aids Attorneys General in investigating and seeking

damages– See:

www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/index.html

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/index.html


Recent Enforcement Actions by OCR

Management Services Organization Washington, Inc. (MSO), December 2010– Enforcement action in connection with FCA investigation– Incident involved disclosure of ePHI to Washington

Practice Management, LLC to market Medicare Advantage plans

– MSO failed to secure valid authorizations and did not implement appropriate safeguards

– MSO agreed to pay $35,000 and employ corrective action plan



Cignet Health, February 2011– First CMP imposed for Privacy Rule violation

Total CMP of 4.3 million– Incident involved denying 41 patients access

to their requested medical records $1.4 million CMP

– OCR found Cignet’s failure to cooperate with the investigation was due to willful neglect $3 million CMP for failure to cooperate



Blue Cross Blue Shield of Tennessee (BCBST), March 2012– First enforcement action resulting from HITECH’s

breach reporting requirements– Incident involved 57 stolen, unencrypted computer

hard drives containing PHI of over 1 million people– Allegation that BCBST failed to perform security

evaluation and implement physical safeguards– BCBST agreed to:

• Pay HHS $1.5 million for potential Privacy and Security Rule violations

• Implement corrective action for compliance program


Office for Civil Rights Complaint Process** Department of Health, Human Services, Office for Civil Rights


The Right to File a Complaint

Any person can file a complaint with OCR for violations of HIPAA

Complaints must:• Be in writing (paper or electronic)• Name the covered entity or business associate• Describe the violating acts or omissions• Be filed within 180 days of when the complainant

knew or should have known of the act or omission– Time limit can be waived for good cause


Complaint Investigation and Compliance Review

Investigations– Required when facts indicate willful neglect– May include:

• Review of policies, procedures, or practices• Review of circumstances surrounding

complaint– Initial written communication by Secretary

regarding investigation will describe basis of complaint


Complaint Investigation and Compliance Review

Compliance review– Required when preliminary review of facts indicates

willful neglect – Final Rule preamble notes that compliance reviews

are generally conducted when HHS learns of alleged violation through means other than a complaint, e.g., media report, or through a report from another state or federal agency

Investigations or review may involve subpoenas for witnesses or production of evidence


What OCR Considers During Complaint Intake and Review

OCR can only take action on certain complaints:Alleged violation occurred after required

compliance dateComplaint filed against a CE or BAComplaint alleges activity that would violate

Privacy or Security Rule if proven trueComplaint filed within 180 day time frame

• May refer complaint to DOJ for criminal investigation


What OCR Considers During Complaint Intake and Review

The Process:1. OCR notifies parties of accepted complaint2. CE or BA must present information about incident3. Review of information and evidence4. Notification of parties if no further action warranted5. If noncompliant, OCR will resolve case by obtaining voluntary compliance, corrective action, resolution agreement

– There is discretion to forgo informal resolution measures and go directly to CMP imposition


ENFORCEMENT(Tiered Civil Penalties)

VIOLATION CATEGORY EACH VIOLATION PER YEAR

Did not know $100-$50,000 $1.5M

Reasonable cause $1000-$50,000 $1.5M

Willful neglect, corrected in 30 days $10,000-$50,000 $1.5M

Willful neglect, not corrected $50,000 $1.5M


ENFORCEMENT(Penalty Assessment Factors)

HHS is not bound to impose the maximum penalty, but will consider:– Nature and extent of the violation– Resulting harm (number of people, reputational harm)– Entity’s history of compliance or violations– Financial condition of the entity– Any other factors justice may require

REMEMBER: intentional acts may be subject to separate criminal prosecution


ACTION STEPS

CE: Revise Notice of Privacy Practices CE/BA: Implement/revise HIPAA Policies and

Procedures CE/BA: Identify Business Associates CE/BA: Revise and enter into new/amended

Business Associate Agreements (2 different deadlines)

CE/BA: Review any “remuneration” relationships involving PHI/ePHI

CE/BA: Train Workforce

changes to hipaa: how new privacy rules will affect your business

Documents

real answers

hipaareal challenges

electronic health information

smbusiness associate

health care providerswho

cloud vendorsreal challenges

disclosures of phi

viceversareal challenges