hitech final omnibus rule bootcamp webinar and roundtable...
TRANSCRIPT
HITECH Final Omnibus Rule BootcampWebinar and Roundtable Discussion Series,
Part I: The HITECH Omnibus Rule—An Overview and Important Policy Changes
This bootcamp webinar and roundtable discussion series is brought to you by the Health Information and Technology (HIT) Practice Group, and is co-sponsored by the Business Law and Governance
(BLG); Healthcare Liability and Litigation (HCL); Health Information Technology (HIT); Hospitals and Health Systems (HHS); In-House Counsel (In-House); Labor and Employment (Labor); Life Science (LS); Long Term Care, Senior Housing, In-Home Care, and Rehabilitation (LTC-SIR); Medical Staff, Credentialing and Peer Review (MSCPR); Payors, Plans, and Managed Care (PPMC); Physician Organization (Physicians); Regulation, Accreditation and Payment (RAP); and Teaching Hospitals
and Academic Medical Centers (TH/AMC) Practice Groups and the Healthcare Reform Educational (HRE) Task Force.
February 25, 2013 1:00-2:30 pm EST
1
Presenters:
Susan D. McAndrew, JD, Deputy Director, Health Information Privacy, Office for Civil Rights,
U.S. Department of Health & Human Services, Washington, DC
Robert L. Coffield, Esquire, Member, Flaherty Sensabaugh Bonasso PLLC, Charleston, WV,
Adam H. Greene, Esquire, Partner, Davis Wright Tremaine LLP, Washington, DC, [email protected]
Moderator:
Patricia A. Markus, Esquire, Partner, Smith Moore Leatherwood LLP, Raleigh, NC,
Motorola StarTACreleased in 1996. The 1st clamshell flip mobile phone.
3
AHLA CEO “Rockstar” THEN . . .
. . . And NOW
4
The Wayback Machine (www.archive.org) January 14, 2001
5
The Office for Civil RightFebruary 25, 2013
6
HITECH Omnibus RuleA snapshot of 138 pages
7
Kristen RosatiPresident-Elect of AHLA
8
9
10
11
12
13
14
15
16
82462 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations
$100to
$25,00017
5566 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations
$100to
$1,500,00018
19
HIPAA HITECH Timeline45 CFR parts 160 and 164
Aug 8, 1996 – HIPAA signed into law (16 years ago) December 28, 2000 – Privacy Final Rule (modified on August 14, 2002
and compliance by April 14, 2003) Feb 20, 2003 – Security Final Rule (compliance by April 21, 2005) Feb 17, 2009 – ARRA-HITECH signed into law Aug 24, 2009 – HITECH Breach Notification Interim Final Rule (effective
Sept 23, 2009) Oct 30, 2009 – HITECH Enforcement Interim Final Rule (effective
November 30, 2009) July 14, 2010 – Modifications to HIPAA Privacy, Security and Enforcement
Rules under HIPTECH; Proposed Rule Jan 25, 2013 – HIPAA HITECH Omnibus Final Rule (effective March 26,
2013, and compliance required by September 23, 2013)
20
Overview of the Omnibus Final Rule and OCR’s Enforcement Expectations
Susan McAndrewDeputy Director, Health Information Privacy
Office for Civil Rights/HHS
AHLA WebinarFebruary 25, 2013
21
Omnibus Final Rule/HITECH –What’s New for Business Associates
• BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule– Liable for Security Rule violations
• BAs must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule– Criminal and civil liabilities for violations
• BA definition expressly includes Health Information Organizations, E‐prescribing Gateways, and PHR vendors that provide services to covered entities
• Subcontractors of a BA are now defined as a BA– BA liability flows to all subcontractors
February 25,, 2013 | 22
Omnibus Final Rule/HITECH –What’s New for Consumers
• Right to Electronic Copy of Electronic Health Record– Right to direct copy to designated 3d party
• Prohibition on Sale of PHI without Authorization• Marketing Communications Paid for by 3d Party Require Authorization– Limited exceptions for refill reminders and current prescriptions
• Easy Way to Stop Fundraising Communications• Right to Restrict Disclosures to Health Plans of Treatment/Services Paid for in Cash
February 25, 2013 | 23
GINA Provisions
• Requires “Genetic Information” to be treated as PHI
• Prohibits Health Plans from using/disclosing genetic information for underwriting purposes
• Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information
February 25,, 2013 | 24
Omnibus Final Rule –Non‐statutory Provisions
• Student Immunization– Makes it easier for parents to permit providers to release student
immunization records to schools
• Research– Allows researchers to use single authorization for more than one
research purpose– Relaxes policy on authorizations for future research
• Notice of Privacy Practices– Updates required to Notices of Privacy Practices– Relaxes distribution requirements for Health Plans
• Decedent Information– Protections limited to 50 years after death– Eases access to friends and families
February 25,, 2013 | 25
Omnibus Final Rule/HITECH –What’s New for Breach
• “Harm” Standard Replaced
• New standard – impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on a risk assessment of at least:– Nature & extent of PHI involved– Who received/accessed the information– Potential that PHI was actually acquired or viewed– Extent to which risk to the data has been mitigated
February 25,, 2013 | 26
Breach Notification Highlights (09/2009 to 01/07/2013)• 525 reports involving over 500 individuals• Over 64,000 reports involving under 500 individuals• Top types of large breaches
– Theft– Unauthorized Access/Disclosure– Loss
• Top locations for large breaches– Laptops/Portable Electronic Devices– Paper records– Desktop Computers
Enforcement ExpectationsBreach Notification
February 25, 2013 | 27
Breach Notification:500+ Breaches by Type of Breach
Unauthorized Access/ Disclosure
20%
Theft51%
Loss14%
Hacking/IT Incident7%
Improper Disposal5%
Unknown3%
February 25, 2013 | 28
Data as of January 2013.
Breach Notification:500+ Breaches by Location of Breach
Paper Records22%
Laptop23%
Desktop Computer15%
Portable Electronic Device14%
EMR2%
Network Server11%
E‐mail3% Other
10%
February 25, 2013 | 29
Data as of January 2013.
Enforcement ExpectationsBreach Notification
• Expect more uniformity in assessing incidents for breach notification purposes
• Continue to investigate major breaches and identify systemic or significant compliance problems to address by corrective action and resolution agreements
• Alert for incidents of failure to report –particularly if willful neglect is present
• Looking for ways to incentivize preventative action in most common problem areas
February 25, 2013 | 30
• Makes permanent increased CMP amounts and tiered levels of culpability from 2009 IFR
• Clarifies “Reasonable Cause” Tier• “Willful Neglect” cases do not require informal resolution
• Intentional wrongful disclosures may be subject to civil, rather than criminal, penalties
Omnibus Final Rule/HITECH –What’s New for Enforcement
February 25,, 2013 | 31
Enforcement ExpectationsComplaint Investigation and Resolution
(As of December 31, 2012)
February 25, 2013 | 32
TOTAL (since 2003)
Complaints Filed 77,200
Cases Investigated 27,500
Cases with Corrective Action 18,600
Civil Monetary Penalties & Resolution Agreements (since 2008)
$14.9 million
Enforcement ExpectationsResolution Agreements
February 25, 2013 | 33
• Five Resolution Agreements and Corrective Action Plans Negotiated in 2012 ($4.85 million)
• Expect continued growth and emphasis on significant cases – remain small proportion of all the cases we look at
• Enforcement of compliance with new provisions after September 2013 ‐‐ continue to enforce with respect to existing provisions not subject to change
Enforcement ExpectationsAudit Program
• Completed Audits of 115 entities– 61 Providers, 47 Health Plans, 7 Clearinghouses
• Total 979 audit findings and observations– 293 Privacy – 592 Security– 94 Breach Notification
• Smaller entities struggle with all three areas• Still assessing need to follow‐up on individual auditees• Help identify compliance areas of greatest weakness• Evaluation underway to guide us in making audit a permanent part of enforcement efforts
February 25, 2013 | 34
Effective Dates, Compliance Deadlines, and Implementation Planning
Adam H. Greene, Esquire, Partner Davis Wright Tremaine LLP, Washington, DC
35
Timeline for Compliance January 25, 2013 - Omnibus Rule published in
the Federal Register Valid business associate contract or data use
agreement must have already been in place to be grandfathered
March 26, 2013 – Omnibus Rule effective date (it becomes law) Covered entities can take advantage of greater
flexibility (e.g., fundraising, decedent information) Date on which new business associates must comply
with Omnibus provisions36
Timeline for Compliance
September 23, 2013 – Covered entities and business associates must comply with Omnibus Rule provisions
September 22, 2014 – End of grandfathering periodGrandfathered business associate
agreements must be updated No longer may receive remuneration
for limited data set pursuant to grandfathered data use agreement
37
Steps for Coming into Compliance
Develop a business associate implementation strategy
Revise policies and procedures
Revise notice of privacy practices
Develop and implement a training strategy
38
Business Associate Strategy
Inventory of business associates Have you recognized all business associates? Do you unnecessarily have BAAs with non-business
associates? Consider assigning risk levels (amount of PHI vs.
evidence of controls)
Consideration of agency relationship Timeframe for breach notification Level of monitoring
Revise business associate contracts39
Revise Policies and Procedures
Address new Omnibus Rule limits/flexibility with respect to use and disclosure of PHI:Sale of PHIMarketingFundraisingDecedentsStudent immunizationResearch
Breach notification response plan
40
Revise Policies and Procedures
Address changes to patient rights:E-copy of electronic designated record setRight to have designated record set sent to third
partyRestriction on disclosures related to
out-of-pocket servicesDistribution of notice of privacy practices (health
plans) Ensure old HIPAA requirements are addressed
41
Revise Notice of Privacy Practices
Prohibition on sale of PHI Duty to notify affected individuals of a
breach of unsecured PHI Right to opt out of fundraising (if applicable) Right to restrict disclosure of PHI when paid out
of pocket Limit on use of genetic information (certain
health plans only)
42
43
Training
Develop a strategic plan for training Cover changes from Omnibus Rule Cover high-risk areas such as mobile devices and
social media Consider breaking up training
Uses and disclosures Safeguards Patient privacy rights Breach notification
44
Training
Consider multiple training platforms E.g., include as agenda item
in departmental meetingMake sure there is always
documentation of attendance
Don’t try to make workforce into HIPAA experts
HIPPAHIPAA
45
Security Rule Risk Analysis
Distinguish risk analysis vs. evaluation of controls
Risk analysis should: Identify locations of
electronic PHI Identify reasonably
anticipated threats (e.g., human, natural, and environmental) and vulnerabilities
Assign risk levels (e.g., low, medium high) based on likelihood and impact
46
Question and Answer Session
47
HITECH Final Omnibus Rule Bootcamp Webinar and Roundtable Discussion Series, Part I: The HITECH Omnibus Rule—An Overview and Important Policy Changes © 2013 is published by the American Health Lawyers Association. All rights reserved. No part of this
publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. “This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar Association
48