July 10, 2013

Richard D. SandersTHE SANDERS LAW FIRM, P.C.

7 Piedmont Center, Suite 300 3525 Piedmont Road

Atlanta, Georgia 30305(404) 364-1819

rsanders@southernhealthlawyers.com

Gwinnett Managed Care, Inc.

Final HIPAA Privacy and Security Rules

1

Overview

Background for HIPAA Changes

Review New HIPAA Breach Notification Rules

Summary of key provisions of the Final Rule

2

HITECH Revisions Breach Notification

Description of Breach Notification Requirements – Pre-HITECH

Breach Notification – Interim Final Rule Provisions – August 24, 2009 Guidelines for Risk Analysis

HITECH Revisions to Enforcement and Penalties

FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules

Breach….or No Breach

Final Rule issued January 25, 2013; to be effective March 26, 2013 3

HITECH Revisions Breach Notification

Scope of Notification Requirements

Applies to Privacy Rule breaches involving both electronic and paper records

“Breach” means the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information (at 45 C.F.R. §164.402)

Under the Final Rule any use or disclosure of unsecured PHI not permitted under the HIPAA Privacy Rule is presumed to be a breach requiring patient notification unless the Covered Entity or Business Associate demonstrates that there is “a low probability that the protected health information has been compromised."

4

HITECH Revisions Breach Notification

Exceptions to “Breach” Definition Unintentional access to PHI by workforce member or other

individual acting under the authority of a CE or BA if: Good faith access and within the scope of authority of

CE/BA; and Information not further acquired, accessed, used or

disclosed by such person in manner not permitted by Privacy Rule

Inadvertent disclosure by person authorized to access CE’s or BA’s PHI to another similarly situated person at same CE, BA or OHCA and PHI not further used in manner not permitted by Privacy Rule

Disclosure of PHI to unauthorized person if CE/BA has good faith belief that such person could not reasonably be able to “retain” such information

The Final Rule removes the exception for limited data sets that do not contain zip codes and dates of birth.

5

Unsecured PHI Guidance

HITECH defines “Unsecured PHI” as PHI not secured through use of technology or methodology required in HHS guidance to render PHI “unusable, unreadable or indecipherable to unauthorized individuals”

HHS issued guidance April 27, 2009, identifying two methods to secure and render PHI unusable, unreadable or indecipherable to unauthorized individuals:

encryption and destruction

HHS update of guidance required annually

HITECH Revisions Breach Notification

6

Clarified meaning of “data” - in motion, at rest, in use and disposed

Encryption:

Successful use depends upon strength of encryption algorithm (computer program) and security of the decryption key or process

Two approved processes:

For data considered to be “at rest” – NIST Special Pub 800-111, Guide to Storage Encryption Technologies for End User Devices

For data considered to be “in motion” – Federal Information Processing Standards (FIPS) 140-2

Exhaustive methods, not illustrative

Destruction:

PHI in written form will be “secured” if materials shredded or destroyed and PHI cannot be read or otherwise reconstructed

PHI in electronic form will be “secured” if information cleared, purged or destroyed consistent with NIST Special Pub 800-88, Guidelines for Media Sanitization, such that PHI cannot be retrieved

HITECH Revisions – Breach Notification

7

8

HITECH Revisions – Breach Notification

Updated HHS Guidance on Securing PHI In the preamble to the regulations for breach notification,

HHS updated its guidance on “securing” PHI. HHS:

Rejected access controls, such as firewalls, as a method for securing PHI.

Rejected redaction as a means of securing PHI, and clarified that only the destruction of paper PHI will render that PHI secure.

Clarified that encryption keys must be kept on a separate device from the data that they encrypt or decrypt.

Reiterated its reliance on certain NIST standards as meeting the encryption standards required to secure PHI.

HITECH Revisions – Breach Notification

Discovery of Breach – Section 164.404(2)

On first day that known or by exercising reasonable diligence could have been known (except by person committing breach) to CE or BA

CE/BA “deemed” to know when breach known or by exercising reasonable diligence could have been known to any workforce member or CE agent

Meaning of “agent” determined by federal common law of agency

9

HITECH Revisions Breach Notification

Notice to Individuals – Section 164.404 CEs must notify individuals if “unsecured PHI” has been, or is reasonably believed

to have been, accessed, acquired, used or disclosed as a result of a “breach” Written Notice

Sent via first class mail unless the individual has specified a preference for e-mail

Substitute Notice If insufficient or out-of-date information for individual or if notice is

returned undeliverable, CE must provide substitute notice If fewer than 10 individuals involved, notice may be by phone or other

means If 10 or more individuals involved, notice must be by conspicuous posting

for 90 days on CE Web site or in major print or broadcast media where affected individuals reside Must include toll-free phone number active at least 90 days

Notice must be reasonably calculated to reach individual Urgent Notice

If possibility of imminent misuse of unsecured PHI, notice required by telephone or other appropriate notice plus written notice

10

HITECH Revisions Breach Notification

Timing of Notice to Individuals by CE – Section 164.404(b) Must be made without unreasonable delay and in no case later

than 60 calendar days after unsecured PHI breach discovery

Content of CE Notice to Individual – Section 164.404(c) The notice must include:

Description of breach (what happened including date of breach)

Types of information involved (such as SS#, DOB, address) Mitigation, investigation, protective steps by CE Steps for individuals to take for protection Contact information to ask questions or obtain more

information (must include toll-free number, email address, Web site or postal address)11

HITECH Revisions Breach Notification

Notice to Media – Section 164.406 If breach involves unsecured PHI of more than 500 individuals in state or jurisdiction, CE

must notify prominent media outlets Notice must be given without unreasonable delay and no later than 60 calendar days

after breach discovery Depending on the circumstances, an appropriate media outlet may include a local

television station or a major general interest newspaper with a daily circulation throughout an entire state

Notice to Secretary – Section 164.408 If breach involves unsecured PHI of more than 500 individuals

Immediately, meaning without unreasonable delay and no later than 60 calendar days after breach discovery

CEs listed on HHS Web site If breach involves unsecured PHI of fewer than 500 individuals

CEs must maintain log of breaches and submit annual report of breaches to Secretary

Date for submission will be identified on HHS Web site and will be no later than 60 days after end of each CY

Report to Congress HHS must annually report breaches to Congress

12

13

HITECH’S Revisions to Enforcement and Penalties

HITECH Revisions Enforcement

HHS, specifically OCR, must formally investigate any complaint of HIPAA violation if initial investigation indicates breach due to willful neglect – effective February 17, 2011 Required to impose CMP if willful neglect found OCR will perform audits of CEs and BAs (probably not

random onsite visits) – beginning February 2010 Effective February 17, 2009 - State attorneys general may

bring civil actions in federal court for HIPAA violations HHS may intervene AGs may seek injunction or damages Only if HHS has not initiated lawsuit

HITECH’s Revisions to Enforcement and Penalties

Penalties (As per statute and October 30, 2009 Interim Final Rule) Applicable to CEs – February 18, 2009 Applicable also to BAs – February 17, 2010 Original bases for civil enforcement retained with increased

penalties Penalties based on intent – state of mind CMPs collected transferred to OCR for purposes of enforcing the

Privacy and Security Rules OCR will consult with GAO to develop system within 3 years to

provide percentage of CMPs/settlement to individuals harmed Non-CEs (e.g., employees of CEs) may violate HIPAA if PHI

maintained by CE is obtained or disclosed by person without authorization

Criminal penalties Broad language

14

HITECH’s Revisions to Enforcement and Penalties

Penalties (cont’d): Applies a tiered approach to CMPs Unknown or with reasonable due diligence would not have known:

Not less than $100 or more than $50,000 for each violation OR In excess of $1.5 million for identical violations during a calendar year

Reasonable cause that is not willful neglect: Not less than $1,000 or more than $50,000 for each violation OR In excess of $1.5M for identical violations during a calendar year

Willful neglect and violation corrected within 30 day cure period: Not less than $10,000 or more than $50,000 for each violation OR In excess of $1.5M for identical violations during a calendar year

Willful neglect and the violation not corrected within 30 day cure period: Not less than $50,000 OR In excess of $1.5M for identical violations during a calendar year

15

Proposed Rule Change for HIPAA/HITECH Notice of

Privacy Practices

The components of HIPAA Notice of Privacy Practices require new notices regarding marketing and fundraising

Authorization is required for any disclosure of PHI that is made in exchange for direct or indirect remuneration, unless a specified exception applies

16

Proposed Rule Change for HIPAA/HITECH Additional

Issues

Privacy protection extends only 50 years after the death of the patient

Covered entities can charge patients for costs associated with providing and individual ePHI on electronic media

17

Final Rule Change for HIPAA/HITECH Effective Date

2013 RULE CHANGES

The Department of Health and Human Services issued the HIPAA/HITECH Act Omnibus Final Rule January 25, 2013 (the “Final Rule”).

The Final Rule is effective March 26, 2013.

Covered Entities will be required to comply with most provisions by September 23, 2013.

18

HIPAA/HITECH ACT OMNIBUS FINAL RULE2013 RULE CHANGES

Breach Notification:

The Final Rule revises the definition of a “breach” and the standard for determining patient notification is required.

The Final Rule replaces the harm threshold with a probability of PHI being compromised threshold.

Any use or disclosure of PHI is presumed to be a breach requiring patient notification unless there is “a low probability that the protected health information has been compromised.”

19

HIPAA/HITECH ACT OMNIBUS FINAL RULE2013 RULE CHANGES

Breach Notification Cont.:

When determining whether there is a low probability that PHI has been compromised, Covered Entities must take into account four (4) factors: The nature and extent of the PHI involved; The unauthorized person who used the PHI or to whom the

PHI was disclosed; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated.

20

HIPAA/HITECH ACT OMNIBUS FINAL RULE

CONT.2013 RULE CHANGES

Business Associates and Contractors:

Under Final Rule, Business Associates and Contractors are now required to comply with HIPAA Security Rule.

The Final Rule provides a transition period of an additional year for Business Associate Agreements (“BAA’s”) that are currently in existence to be in compliance with the Rule. For Example: BAA’s that existed prior to January 25, 2013, and

that are not renewed or modified during the period from March 26, 2013 to September 23, 2013, the deadline to comply with Final Rule will be the earlier of the date on which the BAA is renewed or modified; or September 22, 2014.

21

HIPAA/HITECH ACT OMNIBUS FINAL RULE

CONT.2013 RULE CHANGES

Revised Privacy Notices:

Under the Final Rule, Privacy Notices must now grant the recipient the right to receive the breach notification.

Covered Entities must obtain patient authorization before using PHI for marketing purposes and before selling PHI.

Covered Entities will need to provide a revised Notice of Privacy Practices to individuals.

22

23

THANK YOU!!!

Richard D. Sanders

THE SANDERS LAW FIRM, P.C.3525 Piedmont Road

Atlanta, Georgia 30305(404) 364-1819

rsanders@southernhealthlawyers.com

23