d. the impact of hipaa on medical practices in a post ...€¦ · the impact of hipaa on medical...

AHLA

Physicians and Hospitals Law Institute ● February 5-7, 2014

D. The Impact of HIPAA on Medical Practices in a Post-HITECH World Kimberly Short Kirk Moore & Van Allen PLLC Charlotte, NC Brad M. Rostolsky Reed Smith LLP Philadelphia, PA

1

The Evolution of HIPAA: Impact of HITECH and

Increased HIPAA Enforcement on Physician Practices

Kimberly Short Kirk

[email protected]

704-331-3524

Brad M. Rostolsky

[email protected]

215-851-8195

HIPAA Implications of Physician-Hospital

Integration

2

Affiliated Covered Entities

Single covered entity

Common ownership/ control

All members must be a covered entity

Designation must be documented

Combined functions then all requirements apply

Affiliated Covered Entities

Single set of policies

Common training program and Privacy Officer

One NPP

Joint BAAs

Practical?

Joint liability

3

Organized Health Care Arrangements

Hold selves out as participating in joint arrangement

Joint activities must include:

UR;

QA; or

Payment activities if OHCA shares financial risk for services

Organized Health Care Arrangements

May disclose PHI for health care operations of OHCA

No designation required

Implement required safeguards for shared PHI?

4

Security Rule Risk Assessments&

OCR Audits

General Requirement

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the

Confidentiality

Integrity

Availability

of electronic protected health information held by the entity

5

The times they are a changing …

Mobile devices

Phones

iPads, etc.

Flash drives

Web-based email and applications (e.g., scheduling, billing)

Dependency on vendors

Important Considerations Frequency

Associated exposure/risk

Entity “buy-off”

Cost

Outside vendor vs. internally conducted

Role of attorney

Given current enforcement environment and introduction of audits, risk assessments are a criticalaspect of overall HIPAA compliance.

6

HHS/OCR Audits

Pilot Program launched in November 2011

Pilot was for 115 covered entities

Process:

Initial response

time: 10 days!

HHS/OCR Audits

Touted as a “compliance improvement activity”

Contracted to KPMG

Get your documentation in order NOW

Emphasis on Security Rule Risk Assessment

Impact of recent OIG report??

7

Enforcement

14

HITECH Enforcement CMPLevels

Violation Category Each Violation All Identical Violations per Calendar Year

Did Not Know $100 - $50,000 $1,500,000

Reasonable Cause $1,000 - $50,000 $1,500,000

Willful Neglect Corrected

$10,000 - $50,000 $1,500,000

Willful Neglect Not Corrected

$50,000* $1,500,000

8

HIPAA Enforcement: Recent Examples Dermatology Practice: $150,000 Settlement, Corrective Action Plan

OCR investigation following theft of unencrypted thumb drive containing ePHI of 2,200 patients

No Security Rule Risk Assessment; failed to have policies and procedures in place addressing breach notification

Medical Center: $275,000, Corrective Action Plan

Two Medicare Center leaders discussed medical services provided to a patient with the media without proper authorization

Failed to safeguard patient’s PHI and failed to sanction workforce members pursuant to internal sanctions policy

Pathology Practices: $140,000 Settlement

Massachusetts Atty. Gen. fine stemmed from improper disposal of paper medical records of 67,000 residents

Failed to have appropriate safeguards in place to protect the personal information provided to BA; no BAAs between pathology groups and BA 15

HIPAA Enforcement: Recent Examples Eye and Ear Practice: $1.5 million Settlement, Corrective Action Plan

OCR investigation following theft of an unencrypted personal laptop containing ePHI of patients and research subjects

No Security Rule Risk Assessment; failed to implement security measures to ensure confidentiality of ePHI; failed to implement policies and procedures

Cardiology Practice; $100,000 Settlement, Corrective Action Plan

OCR investigation following report that practice was posting clinical and surgical appointments on publicly accessible Internet-based calendar

No Security Rule Risk Assessment; failed to implement policies and procedures; failed to document employee training; failed to identify security officer; failed to obtain BAAs

16

9

Patient ComplaintsOCR Inquiries/Investigations

Responding to Patient Complaints

HIPAA Privacy Rule gives patients the right to make complaints to covered entity and OCR.

Does covered entity have other relevant policies?

Notice of Privacy Practices

10

Responding to Patient ComplaintsPractical Considerations

Train all employees to report all potential incidents– not just formal complaints

Document all conversations with complainant– may need to have to gather information

Watch disclosure of sensitive employee information

Responding to Patient ComplaintsPractical Considerations

Complaint documentation

Subject of complaint

How investigated (interviews, medical record audit)

Findings

Remedial measures (if none, then reasons why)

Efforts to mitigate

Consider state law notice requirements

11

Responding to OCR inquiries Most common type of covered entity required to take corrective

action: private practices

Complaint requirements In writing Within 180 unless “good cause” OCR must describe basis of complaint to subject covered

entity

Initially, OCR said that it would pursue “informal means” and “seek voluntary compliance” (68 Fed. Reg. at 18897)

6/2012: OCR Director says that tolerance for HIPAA compliance is “much, much lower” than in past in light of history and amount of guidance provided

Cooperation by covered entity required

Responding to OCR inquiries List of questions

Relate to incident that is subject of complaint

Covered entity’s compliance generally

Supporting materials (policies, training logs)

12

Responding to OCR inquiriesPractical Considerations

Time-consuming process

Clear, thorough, accurate response-- include exhibits to support

Expect follow up questions

Remedial actions

Training

Revisions to policies

Employee sanctions

Breach notices

Assess compliance generally

Workforce Training

13

HIPAA Training

Frequency

Documentation!!

Content

Workforce members vs. business associates

Exposure

Logistics

Breach Notification Rule

14

Breach Notifications and Reporting Requirements

Prior to HITECH Act, no federal requirement to notify individuals of breaches existed

Entities of all sizes and kinds have reported breaches

Blue Cross Blue Shield of TN (March 2012): $1.5M Phoenix Cardiac Surgery, P.C. (April 2012): $100,000 Alaska DHHS (Medicaid beneficiaries) (June 2012):

$1.7M

Corrective Action Plan required in addition to imposition of fine


Interim Final Rule (Sept. 2009):

Risk of harm assessment

Is there a “significant risk of financial, reputation or other harm”?

15


HITECH Final Rule (January 2013)

New assessment intended to be more objective and uniform

Presumption of breach

Must demonstrate “low probability” that PHI has been “compromised” after conduct risk assessment


Risk assessment of at least 4 factors

Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

Unauthorized person who used the PHI or to whom the disclosure was made

Whether the PHI actually acquired or viewed

Extent to which the risk to the PHI has been mitigated

16


Utilize committee/ multiple people in entity to make determination regarding risk

Document analysis of 4 risk factors

Consistency where possible


Advise liability carrier?

Drafting notices:

Clarity– avoid unnecessary concerns

Describe what was and was not disclosed

Train/ inform contact persons

Determine whether need media or substitute notice

17


Notice to Secretary Be thorough when completing online form

Breach notice filings as source of investigations

Maintain log of breaches

Procedure so will remember to file notice by deadline


Even if do not provide notice

Remember mitigation obligation

Address underlying issue(s)

Document measures taken

Avoid future incidents

May help if OCR does not agree with assessment

18


State Law Reporting Requirements May have different information that triggers

notice and/or reporting obligation May be required in all instances and not

contain risk threshold standard

Business Associate issues Covered entity may have obligations under

BAAs Who makes determination? Who bears

costs?

Business Associate “Management”

19

Changing Obligations

Assess current relationships for BAA compliance

Indemnification

Oversight of BAs

Audit compliance?

Impose safeguards?

Other mechanisms?

Agency risk

Covered Entity exposure

Business Associate breaches

Grandfather period: earlier of

Date of renewal or modification

September 22, 2014

Business Associate Subcontractors

Consistency

“Floor” Provisions

20

Marketing

Marketing Communications

40

Former Privacy Rule. To make a communication about a product or service that

encourages recipients of the communication to purchase or use the product or service

Treatment and certain health care operations communications excluded

Final Rule. Eliminates exceptions for financially remunerated treatment

and health care operations communications.

Prior Authorizations required when a covered entity receives financial remuneration in exchange for making a treatment communication.

21


Financial Remuneration.

Defined as monetary direct or indirect payments from the third party whose product or service is being described.

Notably, financial remuneration does not include in-kindbenefits.

Financial Remuneration and Business Associates.

If a business associate (or subcontractor) receives financial remuneration from a third party in exchange for making a communication about a product or service, that communication is marketing and requires an authorization.

41


Two Critical Questions:

1. Is the covered entity or business associate receiving financial remuneration?

2. Is the covered entity or business associate receiving the financial remuneration for the purpose of making the communication?

42

22


Scope of Authorizations.

Need not be limited to communications describing a single product or service or services of a single third party.

A single authorization may apply to subsidized communications generally.

Exceptions to Authorization Requirement Remain:

Face-to-face communications

Promotional gifts of nominal value

43

Marketing Communications – Prescription Refill Reminder Exception

Financially remunerated prescription refill reminders remain excluded if financial remuneration limited to reasonable costs of making the communication

Recent Guidance from OCR – Two and A Half Critical Questions:

1. Is the communication about a currently prescribed drug or biologic?

2. Does the communication involve financial remuneration, and if so, is it reasonable?

44

23


Is the communication about a currently prescribed drug or biologic?

Within Exception:

Refill reminders about a drug or biologic that is currently being prescribed;

Communications regarding generic equivalents;

Communications about a recently lapsed prescription (i.e., within last 90 calendadays);

Adherence communications; and

For individuals who are prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system.

Not Within Exception:

Communications about specific new formulations of a currently prescribed medicine;

Communications about specific adjunctive drugs related to the currently prescribed medicine;

Communications encouraging an individual to switch from a prescribed medicineto an alternative;

45


Does the communication involve financial remuneration, and if so, is it reasonable?

Within Exception:

No financial remuneration involved;

Only non-financial or in-kind remuneration, such as supplies, computers, or other materials;

Only payments from a party whose product is not being described (and not on behalf of the party whose product is being described);

Financial remuneration covers only the reasonable direct and indirect costs related to the refill reminder (i.e., labor, materials, and supplies as well as capital and overhead costs)

Involves payment to business associate assisting the covered entity, which is limited to the FMV of the business associate’s services.

Not Within Exception:

Involved financial remuneration not described above. 46

24

Proposed Access Reports Rule

Changes to Accounting Requirements and Access Reports

Modified the accounting requirement currently set forth in the Privacy Rule

Added right to receive an “Access Report”

Specific individuals who have accessed ePHI

Specific action taken

Commenters have noted that complex, cumbersome and costly

25

Changes to Accounting Requirements and Access Reports

Not addressed in HITECH Final Rule

Talk to electronic health record vendors

Notice of Privacy Practices changes

The Evolution of HIPAA: Impact of HITECH and

Increased HIPAA Enforcement on Physician Practices

Kimberly Short Kirk

[email protected]

704-331-3524

Brad M. Rostolsky

[email protected]

215-851-8195

d. the impact of hipaa on medical practices in a post ...€¦ · the impact of hipaa on medical...

Documents