hitech final omnibus rule bootcamp webinar and roundtable...

HITECH Final Omnibus Rule BootcampWebinar and Roundtable Discussion Series,

Part I: The HITECH Omnibus Rule—An Overview and Important Policy Changes

This bootcamp webinar and roundtable discussion series is brought to you by the Health Information and Technology (HIT) Practice Group, and is co-sponsored by the Business Law and Governance

(BLG); Healthcare Liability and Litigation (HCL); Health Information Technology (HIT); Hospitals and Health Systems (HHS); In-House Counsel (In-House); Labor and Employment (Labor); Life Science (LS); Long Term Care, Senior Housing, In-Home Care, and Rehabilitation (LTC-SIR); Medical Staff, Credentialing and Peer Review (MSCPR); Payors, Plans, and Managed Care (PPMC); Physician Organization (Physicians); Regulation, Accreditation and Payment (RAP); and Teaching Hospitals

and Academic Medical Centers (TH/AMC) Practice Groups and the Healthcare Reform Educational (HRE) Task Force.

February 25, 2013 1:00-2:30 pm EST

1

Presenters:

Susan D. McAndrew, JD, Deputy Director, Health Information Privacy, Office for Civil Rights,

U.S. Department of Health & Human Services, Washington, DC

Robert L. Coffield, Esquire, Member, Flaherty Sensabaugh Bonasso PLLC, Charleston, WV,

RCoffield@fsblaw.com

Adam H. Greene, Esquire, Partner, Davis Wright Tremaine LLP, Washington, DC, adamgreene@dwt.com

Moderator:

Patricia A. Markus, Esquire, Partner, Smith Moore Leatherwood LLP, Raleigh, NC,

susan.mcandrew@hhs.gov2

Motorola StarTACreleased in 1996. The 1st clamshell flip mobile phone.

3

AHLA CEO “Rockstar” THEN . . .

. . . And NOW

4

The Wayback Machine (www.archive.org) January 14, 2001

5

The Office for Civil RightFebruary 25, 2013

6

HITECH Omnibus RuleA snapshot of 138 pages

7

Kristen RosatiPresident-Elect of AHLA

8

9

10

11

12

13

14

15

16

82462 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

$100to

$25,00017

5566 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations

$100to

$1,500,00018

19

HIPAA HITECH Timeline45 CFR parts 160 and 164

Aug 8, 1996 – HIPAA signed into law (16 years ago) December 28, 2000 – Privacy Final Rule (modified on August 14, 2002

and compliance by April 14, 2003) Feb 20, 2003 – Security Final Rule (compliance by April 21, 2005) Feb 17, 2009 – ARRA-HITECH signed into law Aug 24, 2009 – HITECH Breach Notification Interim Final Rule (effective

Sept 23, 2009) Oct 30, 2009 – HITECH Enforcement Interim Final Rule (effective

November 30, 2009) July 14, 2010 – Modifications to HIPAA Privacy, Security and Enforcement

Rules under HIPTECH; Proposed Rule Jan 25, 2013 – HIPAA HITECH Omnibus Final Rule (effective March 26,

2013, and compliance required by September 23, 2013)

20

Overview of the Omnibus Final Rule and OCR’s Enforcement Expectations

Susan McAndrewDeputy Director, Health Information Privacy

Office for Civil Rights/HHS

AHLA WebinarFebruary 25, 2013

21

Omnibus Final Rule/HITECH –What’s New for Business Associates

• BAs  must comply with the technical, administrative, and physical safeguard requirements under the Security Rule– Liable for Security Rule violations

• BAs must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule– Criminal and civil liabilities for violations

• BA definition expressly includes Health Information Organizations, E‐prescribing Gateways, and PHR vendors that provide services to covered entities

• Subcontractors of a BA are now defined as a BA– BA liability flows to all subcontractors

February 25,, 2013 | 22

Omnibus Final Rule/HITECH –What’s New for Consumers

• Right to Electronic Copy of Electronic Health Record– Right to direct copy to designated 3d party

• Prohibition on Sale of PHI without Authorization• Marketing Communications Paid for by 3d Party Require Authorization– Limited exceptions for refill reminders and current prescriptions

• Easy Way to Stop Fundraising Communications• Right to Restrict Disclosures to Health Plans of Treatment/Services Paid for in Cash 

February 25, 2013 | 23

GINA Provisions

• Requires “Genetic Information” to be treated as PHI

• Prohibits Health Plans from using/disclosing genetic information for underwriting purposes

• Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information

February 25,, 2013 | 24

Omnibus Final Rule –Non‐statutory Provisions

• Student Immunization– Makes it easier for parents to permit providers to release student 

immunization records to schools 

• Research– Allows researchers to use single authorization for more than one 

research purpose– Relaxes policy on authorizations for future research

• Notice of Privacy Practices– Updates required to Notices of Privacy Practices– Relaxes distribution requirements for Health Plans

• Decedent Information– Protections limited to 50 years after death– Eases access to friends and families

February 25,, 2013 | 25

Omnibus Final Rule/HITECH –What’s New for Breach

• “Harm” Standard Replaced

• New standard – impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on a risk assessment of at least:– Nature & extent of PHI involved– Who received/accessed the information– Potential that PHI was actually acquired or viewed– Extent to which risk to the data has been mitigated

February 25,, 2013 | 26

Breach Notification Highlights  (09/2009 to 01/07/2013)• 525 reports involving over 500 individuals• Over 64,000 reports involving under 500 individuals• Top types of large breaches

– Theft– Unauthorized Access/Disclosure– Loss

• Top locations for large breaches– Laptops/Portable Electronic Devices– Paper records– Desktop Computers

Enforcement ExpectationsBreach Notification

February 25, 2013 | 27

Breach Notification:500+ Breaches by Type of Breach 

Unauthorized Access/ Disclosure

20%

Theft51%

Loss14%

Hacking/IT Incident7%

Improper Disposal5%

Unknown3%

February 25, 2013 | 28

Data as of January 2013.

Breach Notification:500+ Breaches by Location of Breach

Paper Records22%

Laptop23%

Desktop Computer15%

Portable Electronic Device14%

EMR2%

Network Server11%

E‐mail3% Other

10%

February 25, 2013 | 29

Data as of January 2013.

Enforcement ExpectationsBreach Notification

• Expect more uniformity in assessing incidents for breach notification purposes

• Continue to investigate major breaches and identify systemic or significant compliance problems to address by corrective action and resolution agreements

• Alert for incidents of failure to report –particularly if willful neglect is present

• Looking for ways to incentivize preventative action in most common problem areas

February 25, 2013 | 30

• Makes permanent increased CMP amounts and tiered levels of culpability from 2009 IFR

• Clarifies “Reasonable Cause” Tier• “Willful Neglect” cases do not require informal resolution

• Intentional wrongful disclosures may be subject to civil, rather than criminal, penalties

Omnibus Final Rule/HITECH –What’s New for Enforcement

February 25,, 2013 | 31

Enforcement ExpectationsComplaint Investigation and Resolution

(As of December 31, 2012)

February 25, 2013 | 32

TOTAL (since 2003)

Complaints Filed 77,200

Cases Investigated 27,500

Cases with Corrective Action 18,600

Civil Monetary Penalties & Resolution Agreements (since 2008)

$14.9 million

Enforcement ExpectationsResolution Agreements

February 25, 2013 | 33

• Five Resolution Agreements and Corrective Action Plans Negotiated in 2012   ($4.85 million)

• Expect continued growth and emphasis on significant cases – remain small proportion of all the cases we look at

• Enforcement of compliance with new provisions after September 2013  ‐‐ continue to enforce with respect to existing provisions not subject to change

Enforcement ExpectationsAudit Program

• Completed Audits of 115 entities– 61 Providers, 47 Health Plans, 7 Clearinghouses

• Total 979 audit findings and observations– 293 Privacy – 592 Security– 94 Breach Notification

• Smaller entities struggle with all three areas• Still assessing need to follow‐up on individual auditees• Help identify compliance areas of greatest weakness• Evaluation underway to guide us in making audit a permanent part of enforcement efforts

February 25, 2013 | 34

Effective Dates, Compliance Deadlines, and Implementation Planning

Adam H. Greene, Esquire, Partner Davis Wright Tremaine LLP, Washington, DC

35

Timeline for Compliance January 25, 2013 - Omnibus Rule published in

the Federal Register Valid business associate contract or data use

agreement must have already been in place to be grandfathered

March 26, 2013 – Omnibus Rule effective date (it becomes law) Covered entities can take advantage of greater

flexibility (e.g., fundraising, decedent information) Date on which new business associates must comply

with Omnibus provisions36

Timeline for Compliance

September 23, 2013 – Covered entities and business associates must comply with Omnibus Rule provisions

September 22, 2014 – End of grandfathering periodGrandfathered business associate

agreements must be updated No longer may receive remuneration

for limited data set pursuant to grandfathered data use agreement

37

Steps for Coming into Compliance

Develop a business associate implementation strategy

Revise policies and procedures

Revise notice of privacy practices

Develop and implement a training strategy

38

Business Associate Strategy

Inventory of business associates Have you recognized all business associates? Do you unnecessarily have BAAs with non-business

associates? Consider assigning risk levels (amount of PHI vs.

evidence of controls)

Consideration of agency relationship Timeframe for breach notification Level of monitoring

Revise business associate contracts39

Revise Policies and Procedures

Address new Omnibus Rule limits/flexibility with respect to use and disclosure of PHI:Sale of PHIMarketingFundraisingDecedentsStudent immunizationResearch

Breach notification response plan

40

Revise Policies and Procedures

Address changes to patient rights:E-copy of electronic designated record setRight to have designated record set sent to third

partyRestriction on disclosures related to

out-of-pocket servicesDistribution of notice of privacy practices (health

plans) Ensure old HIPAA requirements are addressed

41

Revise Notice of Privacy Practices

Prohibition on sale of PHI Duty to notify affected individuals of a

breach of unsecured PHI Right to opt out of fundraising (if applicable) Right to restrict disclosure of PHI when paid out

of pocket Limit on use of genetic information (certain

health plans only)

42

43

Training

Develop a strategic plan for training Cover changes from Omnibus Rule Cover high-risk areas such as mobile devices and

social media Consider breaking up training

Uses and disclosures Safeguards Patient privacy rights Breach notification

44

Training

Consider multiple training platforms E.g., include as agenda item

in departmental meetingMake sure there is always

documentation of attendance

Don’t try to make workforce into HIPAA experts

HIPPAHIPAA

45

Security Rule Risk Analysis

Distinguish risk analysis vs. evaluation of controls

Risk analysis should: Identify locations of

electronic PHI Identify reasonably

anticipated threats (e.g., human, natural, and environmental) and vulnerabilities

Assign risk levels (e.g., low, medium high) based on likelihood and impact

46

Question and Answer Session

47

HITECH Final Omnibus Rule Bootcamp Webinar and Roundtable Discussion Series, Part I: The HITECH Omnibus Rule—An Overview and Important Policy Changes © 2013 is published by the American Health Lawyers Association. All rights reserved. No part of this

publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. “This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar Association

48