2013 HIPAA II & HITECH

“YOUR PLAN”Rhonda Anderson, RHIA, President

OBJECTIVES

• The participants will identify the following and what they mean to them and staff:• HIPAA 2013 highlights• Privacy Notice Changes • HIPAA Coverage & the Business Associate• Key Resident Rights such as access to Electronic Data,

right to receive electronic and manual copies of their health information

• Right to Restrict release of data to health plans• Period of Protection for Death Records

2

OBJECTIVES -2

• The participants will identify …(cont.)• Disclosure about a decedent to family members and

others involved in care• Authorization for research• HITECH ACT privacy and security provisions• Electronic records and what that means to the HIPAA

compliance• Breach / Impermissible Use – California AB340• Breach / Impermissible Use – Four factor analysis• HIPAA – HITECH – Determining Risks from a risk

assessment in your organization

3

OBJECTIVES -3

• The participants will identify …(cont.)• Policies and Procedures update, i.e., Business

Associate, Privacy Security, Access to Records, Use and Disclosure, Breach, Impermissible use– update

• Steps to protect YOUR organization • Security, who establishes access to records and at what

level?• Role of Office of Civil Rights• What you should do to meet the HITECH

Requirements?• ACTION and YOU!!!

4

• HIPAA in 2003, 2005, 2009, 2010, 2011 and 2013 – updates minor and major HITECH and Security being the most dramatic which really focused on BREACHES• Business Associate Changes• Marketing requires an authorization• Financial Remuneration is defined• Sale of PHI• Compound Authorizations for Research• Death records after 50 yrs. Individually Identifiable data

is allowed to be

LET’S SET THE HIPAA STAGE

5

LET’S SET THE HIPAA STAGE -2

• Finalizes:• The Breach Notification Rule• Genetic Information – Nondiscrimination Act – GINA• HITECH Enforcement Rule• HITECH ACT Privacy and Security • HITECH ACT – Accounting of Disclosures / Access

Report Rule• Guidance on Minimum Necessary

6

LET’S SET THE HIPAA STAGE -3

• Covered Entities (CE) are now permitted to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of a decedent

• Prior to death, unless doing so is inconsistent with any prior expressed preference of the individual KNOWN TO THE CE!!

7

LET’S SET THE HIPAA STAGE -4

• Notice of Privacy Practice – revised/redistributed• Restriction Health Plan and $$ paid by patient• Access to Electronic PHI• Form and format of Electronic Copies• Timeliness for paper and e-records

8

LET’S SET THE HIPAA STAGE -5

• Fees• State• OBRA• Federal

• Breach Notification – assessment• Genetics – New requirement and relates mostly to health insurance coverage

• Excludes Long term care plans from underwriting prohibition

9

VARIES

NEW HIPAA RULES

• Covered Entities (CE) are now permitted to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of a decedent

• Prior to death, unless doing so is inconsistent with any prior expressed preference of the individual KNOWN TO THE CE!!

10

DEATH AND PHI

• Now permits entities to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of a decedent prior to death unless doing so is inconsistent with any prior expressed preference of the individual that is known to the CE

• Person – 1st, 2nd, 3rd or 4th degree of the person is defined as family member or of a dependent of the individual

11

WHO IS A FAMILY MEMBER?

• First Degree – parents, spouses, siblings and children

• Second Degree – grandparents, grandchildren, aunt, uncles, nephews or nieces

• Third Degree – Great-grandparents, great-grand-children, great aunts, great uncles and first cousins

• Fourth Degree – Great-great grandparents, Great-great grandchildren, children of first cousins

12

NEW…NOT SO NEW HIPAA RULES

• BA was always included, just changed some

• Marketing had restrictions – now required an authorization if you plan to use the names and PHI – and there are exceptions and there are other provisions that really do not affect us

• Individually Identifiable Information deceased more than 50 years is no longer considered PHI under the Privacy Rule

13

NEW…NOT SO NEW… -2

• Notice of Privacy Practice Changes• Some Key Changes and maybe more

• When authorizations required, i.e., research, any marketing • PHI after 50 years (Individually Identifiable Information vs. that

had PHI)• When pay in full =Health Plan does not have to be notified and

you can request restriction

• Opt out of fundraising letters (this does not have to be included in the NPP – you can inform otherwise – probably just a good idea to have the information all in one place

14

NEW…NOT SO NEW… -3

• Special requirements if have psychotherapy notes – if none-does not have to be in the NPP

• Uses and disclosures not described in the Notice of Privacy Practice will require an authorization

• Right to be notified of a breach of unsecured PHI in the vent they are affected

• Fees for Paper and Electronic Copies

15

APPLICABILITY

• HIPAA applies to:• All Covered Entities• Your Business Associates, i.e., anyone who contracts w/

you who uses Protected Health Information (PHI) and who subcontracts with the BA

• Vendors who may have access to PHI – you may not “think of”• Also the fact they are all under the HIPAA requirements• Must Comply with some of the Privacy Rule and provisions of

BAA

16

BUSINESS ASSOCIATES (BA)

• Business Associate – Definition changed significantly [78 FR 5668]

• With respect to CE – is not part of the workforce; provides services for the CE, creates, receives, maintains, transfers or stores PHI, including:• Legal• Actuarial• Accounting• Consulting• Financial services• Computer services and cloud computing• E-prescribing gateways, et’l access to PHI

17

BUSINESS ASSOCIATES -2

• Does not include review agencies that are governmental

• Health Care Provider with respect to disclosures by a CE to the treatment of the individual

18

BUSINESS ASSOCIATES -3

• SECURITY STANDARDS 164.306 [78 FR 5589]• BA to ensure

• Confidentiality• Integrity• Modify Security Measures = Protection of PHI• Update Security Measures• Aware - implement encryption • http://www.hhs.gov/ocr/priacy/hipaa/administrative/secur

ityrule

19

BA & ADMINISTRATIVE SAFEGUARDS• Explicitly states CE only has to enter into agreement with BA subcontractors

• Security termination procedures – The CE cannot use just work force re: termination and includes as applicable to the BA = “or other arrangements” – i.e., terminate contract, not use the supplies, etc.

20

BA & ORGANIZATIONAL REQUIREMENTS• BA must have BA contracts with subcontractors that create, receive, maintain or transmit electronic PHI

• Must report any Security incident, including breaches of unsecured PHI to the BA that holds he contract

• BA responsible to report the CE• CE reports the breach to the individuals

21

BA & ORGANIZATIONAL REQUIREMENTS -2

• KEY HERE – In the contract is the agreement, the costs of the subcontractor with the contractor and the contractor with the CE (CE should not have to bear the cost, except for their own Breach)

22

BA & HITECH

• HITECH – makes BA liable for specifics of the PRIVACY RULE and the BA Subcontractor• Use and disclosure – BA will be directly liable - if

not within the BA Agreement and CE could be if not clear in the contract

23

BUSINESS ASSOCIATES

• Directly Liable under HIPAA• Impermissible use and disclosures• Failure to provide breach notification to the CE• Failure to provide access to a copy of e HR - PHI• Failure to disclose PHI to Secretary – via investigations

24

BUSINESS ASSOCIATE AGREEMENT• MUST INCLUDE

• Will comply with the Security Rule in regard to e-PHI• Must report breaches of UNSECURED PHI to the CE• Must ensure subcontractors that CREATE OR

RECEIVE PHI agree to the same restrictions• BA – as applicable would have to distribute the Privacy

Notice• BA MUST ENTER INTO A CONTRACT WITH

SUBCONTRACTORS

25

VENDORS OF A PHR

• Most likely a BA or a CE• Notification made on behalf of the CE may in part, satisfy the reporting requirements

26

ELECTRONIC MEDIA

27

HIPAA - ELECTRONIC MEDIA - 2013• Electronic Media Now reads [78 FR 5688]

• Electronic Storage Material on which data is or may be recorded electronically, including for examples devices in computers (hard drives) and any removable/transportable digital memory medium, such as mag. Tape or disk, optical, digital memory card.

28

HIPAA – TRANSMISSION MEDIA

• Transmission media used to exchange information already in electronic storage media [78 FR 5688]

• Includes:• Internet, • Extranet, • Leased lines, • Dial-up lines, • Private networks,• Physical movement of removable/transportable

electronic storage media. 29

HIPAA – TRANSMISSION MEDIA -2

• Certain transmissions NOT considered transmissions• Paper• Via facsimile• Via voice or telephone• (BELIEVE THAT RELATES TO SEND E-FAX, PRINTED

COPY FROM AN E-RECORD• (NOT SURE HOW VIA VOICE AND TELEPHONE

WOULD APPLY TO Electronic Media)

30

HIPAA – TRANSMISSION MEDIA -3

• Your printer fax machine that information is sent directly to -- for email and fax. (There is a chip.) It includes contact PHI.

• IF THE INFORMATION DID NOT EXIST IN ELECTRONIC FORM IMMEDIATELY BEFORE THE TRANSMISSION• The statement is if the document was electronic

immediately prior to transmission/sending, then it falls under the e-record

• *Requirement and electronic breach requirements are then applicable

31

PROTECTED HEALTH INFO. – ‘PHI’• Now reads:

• PHI – excludes individually identifiable health information [78 FR 5689]

• Exceptions re: education records, employment records held by a CE, person decease d more than 50 yrs.

32

BREACH NOTIFICATION & BA

• Breach Notification applies to HIPAA covered entities BA and their Business Associate Subcontractors that access, maintain, modify, record, store, use, hold, or disclosed secured PHI

33

ENFORCEMENT

• New Regulations include changes designed to enhance the civil monetary penalty structure set in HITECH ACT1) Lack of Knowledge

2) A reasonable cause and not willful negligence

3) Willful neglect, but then corrected

4) Willful neglect but NOT corrected

34

NON-COMPLIANCE DUE TO WILLFUL NEGLECT• HITECH calls – more deliberate investigation and penalties

• “Willful neglect” – discovery through general compliance review

• OCR finds willful neglect – goes directly to civil money penalties

35

CIVIL MONEY PENALTY

• OCR – Reasonable Cause• Act or omission in which the CE or BA knew or by

exercising reasonable diligence would have known – act or omission violate administrative simplification provision, but which CE or BA did not act with willful neglect

• Basis for Civil Money Penalty• Assure the legal review of BA agreements to be sure if

there is a violation…the appropriate compliance and the obligation to assure there is compliance with the HIPAA requirements – privacy, security, enforcement, et’l

36

OCR – VIOLATIONS

• OCR = ?? How to apply these penalties, esp. upper limits = situation affirmative defense CE might consider should fall into one of lower categories

37

AFFIRMATIVE DEFENSE

• CE might consider should violation fall into one of lower categories

• Consider corrective action within 30 days• OCR = decision re: $$ violation

38

THE OMNIBUS RULE

• Finalizes:• The Breach Notification Rule• Genetic Information – Nondiscrimination Act – GINA• HITECH Enforcement Rule• HITECH ACT Privacy and Security • HITECH ACT – Accounting of disclosures/Access

Report Rule• Guidance on Minimum Necessary

39

BREACH NOTIFICATION RULE UNDER HITECH• Breach notification is not required – if CE or BA =risk assessment = low probability that the PHI has been compromised, rather than demonstrate there is no significant risk of harm to the individual

• Breach with SB1386, AB1950, AB1298, AB211, SB541-337

40

BREACH NOTIFICATION RULE UNDER HITECH -2 • Breach has been expanded to clarify that impermissible use or disclosure of PHI presumed to be a breach unless the CE or BA – demonstrates that there is a low probability that the PHI has been compromised• Harm standard and modified the risk assessment to

focus more objectively = PHI compromised

• Unauthorized acquisition, access, use or disclosure of PHI must compromise the security or privacy of such information to be a breach

41

BREACH NOTIFICATION RULE UNDER HITECH -3

• Several situations = unauthorized acquisition, access, use or disclosure of PHI –inconsequential that does not warrant notification

• Impermissible use or disclosure case of breach unsecure PHI. Count $$ of violations vs. $$ individual and are they identical

• Per day bases consider vs. period of time of violation and safeguard

• $$ Penalty – OCR will determine

42

BREACH DISCOVERED

• Discovered = Incident becomes KNOWN – Not when CE or BA concludes analysis = Breach occurred

43

BREACH TREATED AS DISCOVERED• 1st day breach known to CE

OR• Exercise reasonable diligence = CE (45 CFR 164-404

44

BREACH DISCOVERED

• When the clock starts = Notifications = No case later than 60 calendar days

• BA discovers = Breach = Report to CE >> Clock starts re: notification (extends to BA subcontractor as well)

45

HIPAA DOES NOT APPLY

• For transfer to information to another provider• To a designated person who the resident indicates can receive information – in that you can give the information

46

MARKETING

• Making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service

• There are exceptions identified in 164.501 [78 FR 5592] …most do not apply to us

47

MARKETING

• EXCEPTIONS include:• Refill reminders• Tx. Including case management/care coordination• Indirect or recommendation for alternative treatment,

therapies, providers, different care locations• Health related products – part of the healthcare

network, et’l• FINANCIAL RENUMERATION: $$$

• Direct or indirect payment on behalf of a 3rd party.(doe not include payment for treatment).

• AUTHORIZATION FROM RESIDENT REQUIRED – re: any financial $$$

48

REDISTRIBUTION OF NOTICE OF PRIVACY PRACTICES• Does not modify the current requirement to distribute revisions to the NPP for healthcare providers• Not required to print and handout a revised NPP to all

individuals seeking treatment

• Give a copy of the NPP and to obtain a good faith acknowledgement of receipt for new patients

• REVISED NPP – must be posted in a clear and prominent location with copies of the NPP available for individuals to easily take one

49

REDISTRIBUTION OF NOTICE OF PRIVACY PRACTICES -2

• CE already revised NPP, CE does not have to revise and redistribute again as long as the NPP is consistent and compliant with this final rule…MY??? Is how is this possible??

• NPP must be if needed in Braille, large print or audio

• May use a layered notice – CE may give a brief summary of individual rights and longer noticed layered beneath the short notice with more detail

50

REDISTRIBUTION OF NOTICE OF PRIVACY PRACTICES -3

• May use email to distribute if individual agrees to receive it that way

• CONSENT FOR EMAIL FROM THE RESIDENT• Example: Items in the consent. You may wish to obtain

at admission (cannot be part of the Admission Packet)

51

ACCESS OF INDIVIDUALS TO PHI• CE must provide an e-copy of PHI that is:

• Maintained electronically• Located in one or more designated record sets• In the form and format requested

52

FORM AND FORMAT – 164.524 (c)(i)-(ii)• Must produce a copy of the e-record in the form and format requested• If not readily producible, then the information must be

produced in an electronic form as agreed to by the CE and the individual. If individual declines any of the options then CE must provide a hard copy

• At a minimum, must be in a machine-readable format (digital information sorted in a standard format enabling the info to be processed and analyzed by a computer in such as MS Word, MS Excel or PDF, among other formats)

• Does not require CE to purchase new software or systems.

53

WRITTEN REQUEST FOR ACCESS• CE may require:

• Written request• Cannot discourage individual from requesting an e-copy• MAY CHOOSE AN ORAL REQUEST (RHONDA does

not recommend)

• CE e-record contains links to PHI that is part of the designated record set and that information is requested, i.e., scanned documents, the e-copy must contain that information. Paper records do not have to be converted to e-records for access. They can be given in paper

54

PORTABLE MEDIA

• Do I have to accept portable media from the resident? NO! • If there is an unacceptable risk.

• Your IT security person will nee to assist to make that decision.• You cannot require the resident or requestor to purchase

portable media device from the CE • Your best bet may be paper• ASSESS THE RISK~~

• May send unencrypted emails (need a consent for such)

• Encrypted emails may be sent w/attachments if a key is provided separately

55

PORTABLE MEDIA

• WEIGHT OF THE RISKS AND THE RESIDENT’S WAIVER/CONSENT

• WEGHT OF THE RISKS AND THE Encryption• The “KEY” access cannot be denied.

56

THIRD PARTIES

• Request to transmit a copy of the PHI to another person, the CE must comply. The request must:• Be made in writing• Be signed by the individual• Clearly identify the designated person• Clearly identify where the info will be sent

57

ACCESS REQUESTS IN WRITINGNEW!!!• The same request may be used for releasing the information electronically as long as the individual clearly designated the person where the info is to be sent and signs the request

• Written request for PI to be sent to a designated person is distinct from an authorization form

• (Assured format is still under consideration)????

58

WHAT DOES THAT MEAN??

• One is disclosure of information to someone else• One is request access of record by me or my designated representative

• One is authorization and what the difference is in the Authorization for Release and the Access request designated to some one else?????

59

EMAIL FAX CONSENT

• What does that look like?• Some ideas?• We will have a format for this consent or authorization – think it would fall into authorization???

60

FEES

• Allows for labor for copying PHI, whether paper or electronic

• Labor costs based on fee schedule for the technical/clinical record staff time• Compiling, extracting, scanning, burning onto media,

distributing media• Could include time spent preparing an explanation or

summary• OBRA allows 24 cents, Calif. CMIA – 25 cents – local

library may be less; a ? Sometimes. (new guidance –awaits CA – Cal. Office of HIPAA

61

FEES -2

• Other Fees include:• Supplies, postage, etc.• Cost of Supplies for creating the paper copy or

electronic media (if the individual requests portable media)

• Postage or Courier• This provision clarifies that a covered entity may not

charge for a retrieval fee (whether it b a standard retrieval fee or one based on actual retrieval costs)

62

FEES -3

• State laws that provide a limit on the fee that a covered entity may charge for a copy of PHI, • A covered entity must be both reasonable and fee

based• If state law per page fee is 25 cents, the covered entity

can provide an electronic copy for 5 cents per page, then the CE may only charge 5 cents. Even if costs more can only charge 25 cents

63

$$$ - FEES FOR PAPER AND ELECTRONIC COPIES• Paper Copies – 25 cents per page and no charges for pulling and preparing records??? (further info to come on this one)

• Electronic Copies – further info to come on this one

64

TIMELINESS – 164.524 (b)

• CE has 30 days with one-time 30 day extension to respond to the request (with written notice to the individual re: reason, projected date)

• Must include reason for delay and expected completion date

• Electronic access – same as above• Time period begins on the date of the request –THE TIME IT TAKES TO REACH AN AGREEMENT ON THE FORM AND FORMAT FOR ELECTRONIC REQEST IS COUNTED IN THE 30 DAY PERIOD

65

TIMELINESS – 164.524 (b) -2

• OBRA requires response within 24 hrs. • Health & Safety Code 123110 states 5 days for inspection

66

RISK ASSESSMENT & FACTORS

• CE and BA • FIRST FACTOR – Evaluate the

nature and extent of the PHI involved, including type of identifiers?? Re-identification possibility??• Consider type of PHI in the impermissible use and disclosure,

sensitive nature or not??

• SECOND FACTOR – Consider the unauthorized person who used the PHI without permission used the PHI or to whom the impermissible disclosure was made• Consider did the person have obligation to protect Privacy and

Security

67

RISK ASSESSMENT & FACTORS -

2

• CE and BA (cont.)• THIRD FACTOR – Investigate an impermissible use or

disclosure to determine if PHI was actually acquired or viewed or alternatively or alternatively, if only the opportunity existed for the information to be acquired or viewed

• FOURTH FACTOR – Requires CE and BA to consider the extent to which the risk to the PHI has been mitigated

68

RISK ASSESSMENT & FACTORS -

4

• Obligation of CE and BA – mitigate the risks• Obtain recipient’s satisfactory assurances that the

information will not be further used or disclosed – destroyed data assurance

• CE/BA --- MUST PERFORM RISK ASSESSMENT• Encryption encouraged to limit the risks• Encryption then no- breach notification required

69

GENERAL REG. ACT REQUIRES

• HIPAA – Covered entities (CEs) provide notification to affected individual of breach of unsecured PHI

• CEs provide notification to the media breaches in some situations!!!!

70

UNSECURED PHI – BREACH BY BA/BA SUBCONTRACTORS• BA = Notify CE of Breach• BA = Agreement to include notification and indemnification and will meet requirements

• Extends to BA – Subcontractors• HHS –OCR - posts list of CE with breach of unsecured PHI

71

EXCEPTIONS

• CE & BA that implement the specified technology and methodologies with request to safeguarding. “encryption”

• CE & BA NOT required to provide notifications in event of a breach PHI

72

EXCEPTIONS -2

• CE & BA not required to provide notification in event of a breach PHI IF:• PHI safeguarded using technologies and methods not

considered “unsecured”• http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbn

ame=2009_register&docid=DOCID:fr24au09-10.pdf• Look in detail in the older HITECH and the final link…

see first of presentation

73

74

BREACHES EFFECTIVE

• NOW – BA as of Feb 2010• All should begin sanctions – Feb 2010 – Updated now in 2013

• Document efforts to meet compliance!!! NOW if not before

75

BREACH NOTIFICATION APPLY TO

76

1. Business Associate Agreements 1. Business Associate Agreements

2. SB 541, 337 – California 2. SB 541, 337 – California

3. Penalties 3. Penalties

REQUIREMENTS

• Breach discovery (unsecured PHI) PHI the CE notifies:• Each individual of breach of

UNSECURED PHI – has or believed to access acquired, USED or disclosed breach 45 CFR 164.04

NOW!

77

REQUIREMENTS -2

• OCR has added language to the definition of breach to clarify that “impermissible Use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates there is LOW PROBABILITY that the PHI has been compromised. (Your local log has to be thorough and exact to track.)

78

BREACH

• OCR removed “harm statement” replaced with “Risk Assembly” – Risk of the PHI being compromised

79

WHAT MUST I REPORT TO OCR??• Determine if the risk assessment indicates low probability that PHI has been comprised

• Several situations – NOT BREACH• “Focus on harm to the individual in the past and now the requirement is to focus on ---must assess the probability that the PHI has been compromised based on the risk assessment that considers the factors”????

80

OCR ACKNOWLEDGES

• NOT RISK OF HARM – Probability of PHI compromised based on a risk assessment AND focus on PHI Compromised to include:• Nature and extent, type of identifiers and likelihood of

re-identification• Unauthorized person who used the PHI or to whom the

disclosure was made• Whether PHI was actually acquired/viewed• Extent to which risk to the PHI has been mitigated

81

HOW DO I DETERMINE RISK?

• First – Nature and extent of PHI and likelihood of re-identifying i.e., sensitive info.

• Second – Unauthorized person who impermissibly used the PHI or to whom disclosure made. Does that person have obligation to protect the privacy and security of information

• Third – Determine if PHI actually acquired or viewed or if only the opportunity existed but not knowingly accessed

• Fourth – Risk PHI has been diminished82

HOW DO I DETERMINE RISK? -2

• Other steps for impermissible use or disclosure:• Obtain recipients satisfactory assurance that PHI will

not be disclosed/used –confidentiality agreement or destroyed and determine the efficacy/value of the mitigation

• Analysis documented of each of the risks, using the four elements identified above

• Consider strongly re-identification of the PHI

83

IMPERMISSIBLE USE

• Must perform risk assessment• Consider re-identification• Assess unauthorized person re: ability to re-identify the affected individuals

84

ENCRYPT

• A safe harbor

85

MINIMUM NECESSARY IN NEW RULE• Required CE and BA to make reasonable efforts to limit access to PHI to those person or classes who need access to carry out duties, disclose what is reasonable

• THINK ABOUT YOUR COMPUTER SYSTEM

86

MINIMUM NECESSARY

• Now explicitly extends to BA as well• Outlined in the BA Agreement• All facilities (CEs)and all BAs must follow the Minimum Necessary to carry out the duties and responsibilities of their organization

• BA Agreement should reference Minimum Necessary as does the CE policies and procedures and the BA must be consistent with the CE P/P

• There will be more guidance on minimum necessary

87

TERMS

• Use and Disclosure – Privacy Rule• OCR uses acquisition and access

All are considered same?

88

USE AND DISCLOSURES –AUTHORIZATION REQUIRE• Sale of PHI is prohibited without authorization (this means directly or indirectly receive remuneration both financial and non-financial benefits (in kind benefits)

89

USE & DISCLOSURE

• Sale of PHI does not include disclosure of PHI• For public health• Research• Treatment and payment• Sale, transfer – due diligence• BA agreements• To an individual who has requested PHI• As required by law• Purposes permitted for cost - to prepare, transmit

information or where fees permitted by law

90

FEES….

• Where allowed – reasonable cost-based fee to prepare, transmit data, costs include both direct an indirect costs for generating, storing, retrieving and transmitting PHI• Labor• Materials• Supplies• Profit margins are not allowed.• De-identified PHI data not subject to $$ prohibition

91

PHI DECEDENTS

• Comply for 50 years following date of death

• Individually Identifiable Data, that is the stats about the resident, name, date of birth, etc. can be release but not the conditions or PHI

92

DEATH AND PHI

• Now permits entities to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of a decedent prior to death unless doing so is inconsistent with any prior expressed preference of the individual that is known to the CE

• Person 1st, 2nd, 3rd or 4th degree of the person is defined as family member or of a dependent of the individual.

93

DEATH AND PHI – DEFINITIONS

• First-degree relatives include parents, spouses, siblings, and children

• Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces

• Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins

• Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first cousins

94

CE ENSURES

• BA Contracts = language re: BA notification and requirements/include BA subcontractors

95

IN-SERVICE

• CE & BA are trained (all staff trained and aware of IMPORTANCE timely reporting of privacy and security incidents

96

EXCEPTIONS

• Unintentional breach by a staff member or person acting for CE or BA

• Acquisition made = good faith – within authority scope – NO – Further use or disclosure

97

EXCEPTIONS – EXAMPLE #1 - UNINTENTIONAL• Physical Therapist reviews record realizes does not = the correct resident within scope of contract of who they should be treating

98

EXCEPTIONS – EXAMPLE #2 – INADVERTENT DISCLOSURE• Person authorized to access PHI for CE or BA discloses PHI to another person at CE or BA. PHI = No further use or disclosure – this would be determined in the risk assessment

99

EXCEPTIONS – EXAMPLE #3 – INADVERTENT DISCLOSURE• Director of Nursing receives an email from hospital not intended for her – re: PHI – email referred to correct person and deleted

100

EXCEPTIONS – EXAMPLE #4 – NOT REASONABLY ABLE TO RETAIN• Unauthorized person to whom the disclosure made not reasonably able to retain such information

• PHI given to “unauthorized” – wrong resident - exchange right away for correct information.

• Example of risk assessment

101

EXCEPTION – PROOF IS ON “U”

• CE or BA – has burden of proof to show = no breach = why breach notice = not required

• Document – why not allowed – use or disclosure falls under an exception

102

LIMITED DATA SET & DE-ID INFORMATION• CE-BA – Created Limited Data Sets & De-ID PHI through redaction if removal identifiers result information = criteria 45 CFR 164.514(e)(2) or 164.514(b)

• Exception – PHI redacted – may not require notification – cannot be identified to a resident – PHI

103

LIMITED DATA SET & DE-IDENTIFICATION INFORMATION -2

• Loss/Theft – Redacted information• Loss/Theft = Not require notification because under Rules – because information not PHI, i.e. de-identified information

OR• Redacted info does not compromise security & privacy = No Breach

104

LIMITED DATA SET

• Created by direct ID from PHI• Include in Risk Assessment

105

HHS = EXCEPTION STATEMENT

• Narrow exception would not apply if for example zip code information or contains birthdates and zip code information

• Question re: ID is there risk of re-identification poses a significant risk harm to the individual

106

RESPONSIBILITY

• CE is not responsible for breach if 3rd party unless = role as an agent of the CE or BA

107

3RD PARTY RESPONSIBILITY

• Receive BA or CE provided info to 3rd party• Breached = 3rd Party• Used-disclosed not permissible• Determine if privacy & security compromised• Responsible for complying with Rule

• http://frwebgate2.access.gpo.gov/cgi-bin/TEXTgate.cgi?WAISdocID=oHkL0Q/0/1/0&WAISaction=retrieve

108

LIMITED DATA SETS – BURDEN OF PROOF• PHI = No zip code or Birthdate = lost information did not include identifiers

109

RISK ASSESSMENT OF THE BREACH• Establish Breach = Violates Privacy Rule• CE = ?? Whether the violation compromise Security/Privacy of PHI

110

RISK ASSESSMENT – SECURITY / PRIVACY• Compromise PHI• Significant Risk of $$ - Reputation• Harm to person

111

BREACH – RISK ASSESSMENT STEPS• Who impermissibly used or to whom the information was impermissibly disclosed?

• Obtaining the recipient’s assurances that information will not be further used or disclosed

• Steps eliminate or reduce the risk of harm less than “significant risk”

112

BREACH – RISK ASSESSMENT STEPS -2

• Security & privacy of the information has not been compromised, no breach

• Impermissible disclosed PHI is returned prior to it being accessed – may not be breach

• CE & BA should also consider the type & amount of PHI involved in the breach• If PHI does not pose significant risk of financial,

reputational, or other harm, violation is not a breach

113

RISK ASSESSMENT DOCUMENTATION• CEs & BAs demonstrate in writing that no breach has occurred because it did not pose a significant risk of harm

• CE & BAs document risk assessments• PHI is a limited data set that does not include zip codes,

dates of birth, documentation to demonstrate that the lost information did not include these identifiers

114

NOTIFICATION CONTENT – (45 CFR § 164.404(c))• No later than 60 days following the discovery of a breach, notification must be made to the individual• A brief description of what happened, date it happened,

and when discovered (if known)• Description of the types of unsecured PHI that was

involved in the breach (name, date of birth, diagnosis) • Steps the impacted persons take to protect themselves

from potential harm (check credit reports in cases of financial information being breached)

115

NOTIFICATION CONTENT – (45 CFR § 164.404(c))• No later than 60 days following the discovery …

• Description of what the covered entity is doing to investigate & mitigate harm protect against future breaches

• Contact procedures for the person to ask questions or seek additional information

116

NOTIFICATION REQUIREMENTS

• Written notices to the individual, if contact information is insufficient or out of date, is required. Breach notice must be made:• To the individual in written form by first-class mail at their last

known address, electronic mail, provided the individual agrees• Individual affected by a breach is a minor, otherwise lacks legal

capacity due to a physical or mental condition, notice representative of the individual

• Individual is deceased, notice must be sent to the last known address of the next of kin. Next of kin personal representative is only required if the covered entity knows that the individual is deceased, has address of the next of kin or personal representative

117

SUBSTITUTE NOTICES

• CE does not have sufficient contact information or if notices returned as undelivered, the CE must provide substitute notice for the unreachable individuals

• Decedents, a CE is not required to provide substitute notice either does not have contact information

118

SUBSTITUTE NOTICES -2

• Fewer than 10 individuals for whom the covered entity insufficient or out-of-date contact information to provide the written notice; provide substitute notice to such individuals through an alternative form of written notice, telephone, other means

• Posting a notice on the web site of the CE or at another location

• Posting should not disclose any information which would identify an individual

119

SUBSTITUTE NOTICES -3

• CE insufficient or out-of-date contact information for 10 or more individuals, the rule requires CE provide substitute notice:• A conspicuous posting for a period of 90 days.

Notification must include a toll-free phone number, active for 90 days

• A major print or broadcast media notice in geographic areas where the individuals affected by the breach likely reside

120

URGENT SITUATIONS

• Notice by telephone or other means may be made, written notice, cases deemed by the CE to require immediate notification because of possible imminent misuse or unsecured PHI

• Notice, in addition to, and not in lieu of direct written notice

121

NOTIFICATION TO THE MEDIA

• Notice to media outlets serving State or jurisdiction, following a breach of unsecured PHI involving 500 or more residents of the State or jurisdiction

• Supplement, not substitute for, individual notices• Media must be notified within 60 days of the discovery of the breach of unsecured PHI

122

NOTIFICATION TO THE MEDIA -2

• The notice must include:• Brief description of what happened,

including date it happened and when discovered (if known)

• Description of the types of unsecured PHI involved in the breach (name, date of birth, diagnosis

• Steps the impacted persons take to protect themselves from potential harm (check credit reports in cases of financial information being breached)

123

NOTIFICATION TO THE MEDIA -3

• The notice must include (cont.):• Description of what the covered entity is doing to

investigate & mitigate harm protect against future breaches

• Contact procedures for questions or seek additional information (toll-free telephone number, an email address, a website, or postal address

• (45 CFR § 164.404(c))

124

NOTIFICATION TO THE MEDIA -4

• Breach, another state, of 600 individuals, 200 reside in California and 400 reside in Nevada, did not affect 500 or more residents of any one State

• Notification to the media is not required• Notifications to both California & Nevada still applies

125

BREACHES – 500 OR MORE INDIVIDUALS• CE TO NOTIFY THE SECRECTARY (OCR) IMMEDIATELY

• CE with report will be on the website

126

BREACHES – LESS THAN 500 INDIVIDUALS• Breaches of unsecured PHI involving less than 500 individuals, CE maintains a log of such breaches, reports no later than 60 days after the end of the calendar yr. in which the breach was discovered. to the Office of Civil Right (OCR) documenting the breaches

127

HITECH ACT

• Who enforces for failure to notify or when notification is provided in an untimely matter?• Department of Health and Human Services• HIPAA covered entities and their business associates.

128

HITECH ACT -2

• Subpart D – Breach• Untimely notification – Enforces failure to notify timely –

Attorney General• Untimely Notification – Federal Trade Commission• Office of Civil Rights Notification

129

NOTIFICATION BY A BUSINESS ASSOCIATE (IN REVIEW)• Breach shall be treated as discovered by a BA first day on which such breach is known to the BA, by exercising reasonable intelligence

130

NOTIFICATION BY A BUSINESS ASSOCIATE (IN REVIEW) -2

• BA (BA subcontractor) is required to:• Notify the CE without unreasonable delay no case later

than 60 days following the discovery of the breach that the CE can notify affected individuals

• Identity of each individuals whose unsecured PHI has been or is reasonably believed to have been breached or other available information that the CE is required to include in the notification to the individual

131

LAW ENFORCEMENT DELAY

• Law enforcement official determines notification notice would impede a criminal investigation

• CE or BA must temporarily delay notification• Written Request – Law enforcement provides a written statement that:• Delay is necessary• Notification would impede criminal investigation• Cause damage to national security• Specifies the time for which

a delay is required

132

LAW ENFORCEMENT DELAY -2

• Oral Request – The law enforcement states orally that:• Notification would impede criminal investigation• Cause damage to national security• CE or BA required to document the statement and

identity of the official

133

PERSONAL HEALTH RECORDS (PHRs)• The Federal Trade Commission (FTC) imposes similar breach notification requirements upon vendors of PHRs and third party service providers

• A breach of security of unsecured PHR identifiable health information

• Entity providers PHRs to customers of HIPAA CE through a BA

134

PERSONAL HEALTH RECORDS (PHRs) -2

• PHRs directly to the public, a breach of its records occurs, certain cases, described in its rule, FTC will deem compliance

• May be appropriate for the vendor to provide the same breach notice

135

HITECH FLOW CHART

• Click here for full flow chart

136

HITECH FLOW CHART -2

137

HITECH FLOW CHART -3

138

HITECH FLOW CHART -4

139

NOTICE TO INDIVIDUALS

• Must contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity’s efforts to investigate, mitigate and prevent further breaches and contact information

140

HIPAA – RETENTION OF DISCLOSURES• The HIPAA requirement for a six year accounting of disclosures still applies to non EHR disclosures

141

ACCOUNTING OF DISCLOSURES

• Under HITECH covered entities and business associates are required to maintain an accounting of disclosures made through HER including disclosures made for treatment, payment and health care operations

• Information is limited to three years of disclosure information rather than the current 6 year requirement under HIPAA

142

BA AGREEMENT

• Update the business associate agreement and BA subcontractors to be notified by BA. It is best if you know the policy to include the new HITECH requirements

• Covered entities must update all business associate agreements and ensure that they include HITECH requirements and new guidance on PHI impermissible use

143

CALIFORNIA - BREACH

• PHI – incl. medical information 1798.29 (e)(4) and 1798.29 (e)(5)

• Notify breach of computerized data containing PHI 1798.29 (a)

• PHI protection 1798.81.5• Proper disposal and destruction of records containing PHI 1798.81

• http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.25-1798.29

144

CALIFORNIA – CE

• Required to report unlawful or unauthorized “impermissible” access, use or disclosure of a patient’s medical information within 5 working days to comply with SB 541 –337 which has been in effect since January 2009

145

PENALTIES

• SB-541 – AB337 - failure to report within 5 working days:• $100 per day for each day that the unlawful or

unauthorized access, use or disclosure is not reported up to a maximum of $250,000

146

HITECH/CALIFORNIA – RISK ANALYSIS & IMPLEMENTATION • Possible areas of risk:

• Guidance on documentation of investigation and notification of breaches

• Breach Response policies and procedures• Breach Response – process• Analysis of where you stand with security??

encryption?? Exposure (YOU) and (BA)??• Click here for checklist

147

CALIFORNIA PRIVACY AND SECURITY & MORE!!• SB1386 – Security Breaches =encryption• AB1950 – Protection of personal data• AB1298 – Encrypted medical Hx., etc.• AB211 fines• SB 541-337 Breaches

148

SECURITY / ACCESS CONTROL

• Does the current E.H.R. have a grid of security and access controls if ask for it?

• Is your data destruction and manual destruction of records secure? How do you know? Who is responsible?

149

LIABILITY ???

• Let’s review!!• There are no true absolute tools for

PHI breach, but there may be tools you can develop for yourself that matches your system, i.e., access control logs/HIPAA logs in some companies, sign on/off logs, etc.

• Job duties vs. the assigned data screens

150

LIABILITY ??? -2

• What kind of insurance do you have?• What will offer for mitigation if this does happen where there is a breach?

• Theft of identity is potential – so how will you cover that?

151

LIABILITY ??? -3

• Breach notifications $$• Cost of monitoring services/contract or employees $$

• Legal costs possibly $$• Call center $$• Identity theft insurance for breach notice• ??? Other costs – Administrative – Staff??

152

TEXTING

• Review texting, risks and the facility policy on Texting.

153

HIPAA COMPLIANCE FOR CLINICIAN TEXTING• Text or SMS

• Texting can offer providers numerous advantages for clinical care• Fastest and most efficient means of sending information in a

given situation

• Texting to communicate clinical information, whether authorized to do so or not – How to control?

• Texting between clinician members of the workforce • How to ensure safer texting practices

154

RISKS OF TEXT MESSAGING – HIPAA BREACH• Represents a different set of risks• Text messages may reside on a mobile device indefinitely• Exposed to unauthorized third parties due to theft, loss,

or recycling of the device• Can be accessed without any level of authentication• Text messages communicated wirelessly are usually

encrypted by the carrier, interception and decryption of such messages is done with inexpensive equipment

155

RISKS OF TEXT MESSAGING – HIPAA BREACH -2

• HIPAA Privacy Rule• Designated record set includes PHI used, in whole or in

part• For the Covered Entity to make decisions• Text messages used to make decisions about resident

care• Risk of compliance with the privacy rule if the Covered

Entity cannot provide residents with access

156

TEXTING IN COMPLIANCE PROGRAMS• HIPAA security rule text messaging risk analysis and management strategy• Identify where electronic PHI, or ePHI, is created,

received, maintained, and transmitted

• Identify and document any reasonable anticipated threats to PHI

157

TEXTING IN COMPLIANCE PROGRAMS -2

• Security measures already in place (e.g., an existing policy on texting) including threat, potential impact• Theft or loss of the mobile device• Improper disposal of the device• Interception of transmission of ePHI by an unauthorized

person• Lack of availability of ePHI to persons other than the

mobile device user

158

TEXTING IN COMPLIANCE PROGRAMS -3

• Examples of security controls• Administrative policy prohibiting texting of ePHI or

limiting the type of information• Limiting condition-specific or information identifying the resident

• Workforce training use of work-related training• Password protection and encryption for mobile devices• Inventory of all mobile devices used for texting• Proper sanitation of mobile devices upon retirement of

the device

159

RECAP

• Make your TO DO LIST

160

EVALUATION

Rhonda Anderson, RHIA, President

rhonda@ahis.net

Anderson Health Information Systems, Inc.

940 W. 17th Street, Suite B

Santa Ana, CA 92706

714-558-3887

161