2013 06-21 hippa omnibus rule

1

2013 HHS HIPAA OMNIBUS RULE

Vermont Mental Health & The Law

June 21, 2013

Presenter: Eileen Elliott, Esq.

2

Health Information Technology for Economic and Clinical Health

(HITECH) Act

• Strengthened privacy, security, and enforcement provisions

• 2009

3

Most of the changes in the new rule are already law under 2009 HITECH ACTAmalgam of four interim and proposed rules:

• HIPAA Privacy, Security, and Enforcement Rules

• Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure

• Breach Notification for Unsecured Protected Health Information under HITECH

• Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA)

4

Effective dates• Omnibus Rule became effective on March 26,

2013• Compliance date September 23, 2013• Deferred compliance date is provided in

certain cases for existing business associate agreements. At the latest, all of these contracts must be compliant by September 22, 2014.

• Default compliance period of 180 days from effective date for future HIPAA rules

5

Major Effects of Omnibus Rule

1. Enhanced breach notification requirements

2. Increased Business Associate liability

3. HHS enhanced fining authority

4. Extension of GINA to all plans subject to HIPAA

6

1. Strengthened Breach Reporting

• Eliminated the harm standard• Prior rule: Breaches were not reported unless

they posed a “significant risk of reputational, financial or other harm” to individuals.

• As Amended: The determination of whether an incident is a breach depends not on the likelihood affected individuals might be harmed, but rather on the risk that PHI has been “compromised.”

7

Strengthened Breach Reporting, cont.

• Incident is presumed a breach unless a risk analysis reveals a “low probability” that PHI has been compromised

• Impermissible uses of PHI, and not only impermissible disclosures, are potentially subject to breach notification.

• Now required to do a risk analysis

8

Risk Analysis

RA must include at least the following factors:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;

• The unauthorized person who used the PHI or to whom the disclosure was made;

• Whether PHI was actually acquired or viewed; and

• The extent to which any risk to PHI has been mitigated.

9

Risk Analysis, cont.

• Notification will be required if the risk analysis reveals there is greater than a “low probability” that the PHI will be or has been compromised.

• RA must be documented and retained

10

Exceptions to Breach

• Could not reasonably be retained• Inadvertent access, unintentional and in

good faith• Inadvertent disclosure to another at the

same entity who is authorized• Further impermissible use destroys any

exception

11

Notification Requirements• Affected individuals, HHS and, in some cases, the media

• 500 or more individuals - HHS contemporaneous with the notice to individuals

• < 500 individuals can be logged and reported to HHS on an annual basis

• Cascading notifications – BAs, CEs and subcontractors

• Required without unreasonable delay and in no case later than 60 days from the

date the breach is discovered

• Notification delays allowable if law enforcement advises that notification might impede their investigation

12

Breach Safe harbors

• Encryption• Disposal

13

Business Associates

• An entity that performs functions or services for covered entities that involve uses or discloses of PHI

• BAs may "create, receive, maintain, or transmit” PHI

• Entities merely storing PHI also are business associates

14

Subcontractors are BAs

• Subcontractors are HIPAA BAs if they create, receive, maintain or transmit PHI

• “on the hook" for compliance with applicable rules like the Breach Notification Rule, HIPAA Security Rule, HIPAA Privacy Rule, etc.

• Organizations providing personal health records (PHRs) on behalf of CEs are business associates.

• "conduit exception" still applies but narrow

15

New Requirements for BAs

• Huge ramifications• Security Rule Compliance required • Use/disclosure requirements of Privacy

Rule• Provide copies of ePHI• Maintain accounting of disclosures• Provide HHS w/ PHI during review or audit

16

Contracting Ramifications

• CEs still must contract with BAs, but no need to contract with BA’s Subcontractors

• BAs must enter into agreements with Subcontractors

• Many more entities are considered BAs

17

Liability for Violations by BAs

• Business associates can be directly liable for HIPAA noncompliance, including compliance reviews, fines, equitable relief and audits

• Subcontractors of BAs are now also defined as BAs, and can also be directly liable for violations

18

Hybrid Entities

• When organization carries out some HIPAA covered functions and some non-HIPAA covered functions, it is a hybrid entity.

• Business units that perform business associate-like support functions, such as the IT or Legal Departments need to comply w/ HIPAA

• HIPAA permits hybrid entities to designate which “components” of its business are HIPAA covered and, once documented, only those designated components have to comply with HIPAA.

19

Enforcement and Penalties

• “willful neglect” by the CE or BA requires HHS to conduct compliance reviews and investigate complaints

• HHS may fine any CE, BA or subcontractor responsible for a violation.

• Violations are counted up “based on the nature of the…obligation to act or not act.”

• New factors in fining calculus - number of persons affected by the violation and potential harm to those persons’ reputations

20

Fines

• Violation was not known and could not have been discovered with reasonable diligence – potential penalty per violation - $100 – $50,000

• Reasonable cause for violation, not due to willful neglect

– potential penalty per violation $1,000 – $50,000

• Violation due to willful neglect, but corrected in 30 days

– potential penalty per violation $10,000 – $50,000

• Violation due to willful neglect, not corrected in 30 days

– potential penalty per violation $50,000

• Maximum - $1,500,000 for all violations of an identical provision

21

Fines, cont.

• Monetary penalties will be tallied on a per person and per day basis.

• Breaches usually yield at least two violations: impermissible use or disclosure and a safeguards violation.

22

Privacy Rule

• PHI remains protected 50 years after death

• Provision of access to PHI is a disclosure

• Business associates are directly required to comply with Privacy Rule

– Expressly prohibited from using/ disclosing PHI other than as permitted by their BA agreements

– Prohibited from uses or disclosures of PHI that would not be permitted if done by CE client

• HIPAA Rules apply to genetic information

23

Marketing

An individual’s express authorization is required before a covered entity may make communication regarding treatment or health care operations where:

• The CE receives financial remuneration from (or on behalf of) a third party in exchange for sending the communication; and

• The communication is intended to encourage purchase or use of a product or service offered by the third party.

24

Marketing Authorization Required

• Communications that may be subject to this requirement include those regarding: – Appointment reminders; – Treatment reminders; – Alternative treatments; – Health care products or services.

25

Marketing Authorization not required

• Communications that are not subject to this requirement continue to include: – Face-to-face communications; – Promotional gifts of “nominal” value; – Refill reminders, adherence reminders for

current scripts, if reasonably reflect costs.

26

No authorization required, cont.

• Communications about health in general, i.e. prevention, healthy habits

• Communications about government or government-sponsored programs that benefit the public, such as eligibility for Medicare or Medicaid

27

Authorization requirements

• HIPAA mandates a certain form and content for valid authorizations

• CEs must disclose in their marketing authorizations that they are receiving financial remuneration in exchange for sending marketing communications.

• Right to revoke

28

Fundraising

• CE may use, or disclose to a BA or an institutionally related foundation, certain PHI for its own fundraising w/o authorization

• Opt-out mechanism that does not place an undue burden on the individual

• Cannot condition treatment or payment on the individual’s choice

• Notice of privacy practices must describe the covered entity’s intent to send fundraising communications and describe the individual’s right to opt out

29

Sale of PHI

• Prohibited unless authorized• Authorization must disclose that

remuneration will be received• Sale = a CE or BA receives

remuneration, financial or otherwise, directly or indirectly, from or on behalf of the recipient in exchange for the PHI

30

Sale exceptions

• Disclosures for research purposes where the remuneration represents a reasonable cost-based fee

• Disclosures by BAs or their subcontractors where remuneration is provided by the CE or BA to compensate for the activities performed by the BA or subcontractor

• Sales must be included in authorization forms

31

Research Changes

• Authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. – Therapy notes

• Revocation• Research authorizations need not be

study specific where they pertain to future research.

32

Individual’s Right to Request PHI

• In any format as long as readily producible• Even if maintained electronically• CEs must provide copies of PHI to other

parties if designated by the individual. – Written and signed – Clearly identify recipient and where to

send

33

Right to Request PHI, cont.

• Reasonable, cost-based fee – labor and postage

• 60 day response period is gone, now only 30– CE can still give itself an additional 30

days

34

Email

HHS provides that covered entities are permitted to send individuals unencrypted emails including ePHI if the individual requests it, provided the covered entity has advised the individual of the risk and the individual still prefers to receive the message by unencrypted email.

35

Restrictions on Disclosures

• Individuals have right to restrict certain disclosures of PHI to health plans, where – Disclosure is for payment or operations– Recipient paid in full– Not otherwise required by law

• Flag the PHI to identify the restriction.

36

Additional Allowable Disclosures

• Decedents and individuals “not present”– Narrow, but a minefield of subjectivity

• Schools– Immunization records if required by

state law – Needs agreement of parents, guardian

or emancipated minor

37

Notice of Privacy Practices

• Modifications needed:• Revised description of uses and

disclosures that require an authorization – Marketing, selling PHI – Fundraising

• Opt out rights

38

Changes to Notice of Privacy

• Right to be notified of security breaches

• Providers must explain restriction rights for PHI paid-in-full out of pocket

• Plans must explain GINA obligations• Plans must explain how it will notify

beneficiaries of changes to notice

39

Security Rule

• The Security Rule now applies in full to BAs and their subcontractors.

• Variety of comprehensive security measures • CEs remain liable for BAs • BAs need to enter into agreements with subs• Compliance date is 9/23/13• Higher fines

40

Security Rule, cont.

• Retained Flexibility of Approach

• Internet, extranets and intranets are forms of electronic media because they transmit data electronically

• Not electronic media if it did not exist in electronic form immediately before the transmission

• Genetic information is “health information” and subject to HIPAA rules if it is individually identifiable.

41

GINA Requirements

• Makes all plans that are subject to HIPAA subject to GINA

• Forbids using genetic information for underwriting

• “genetic information” included in the definition of “health information”

42

GINA, cont.

• Genetic Information defined as:– Genetic tests of individual or family members– Manifestation of a disease or disorder in the

individual’s family members; – Any request for, or receipt of, genetic services, or

participation in clinical research by individual or family

43

To-Do List

1. Revise BA agreements2. Revise and distribute Notice of Privacy

Practices3. Evaluate existing contractor relationships4. Revise HIPAA policies and procedures for

breach reporting5. Conduct training