hipaa and hitech the latest developments presented by: michele madison partner, healthcare practice...
TRANSCRIPT
HIPAA and HITECHThe Latest Developments
Presented By: Michele Madison
Partner, Healthcare PracticeMorris, Manning & Martin, LLP
www.mmmlaw.com
Overview
Enhanced HIPAA Patient Rights Business Associates Transaction and Code Sets
Transaction and Code SetsHITECH
Enforcement Audits Breach Log
2
Patient Rights
3
Rules and Regulations
HIPAA Privacy and Security Rule
HITECH February 17, 2009
Proposed Rule July 14, 2010
Proposed Rule July 14, 2010
Extends the HIPAA Applicability to Business Associates
Establishes new limitations on the use and disclosure of PHI for marketing and fundraising purposes,
Prohibits the sale of PHI Expands Patient Rights Strengthens and expands HIPAA’s
enforcement provisions.
Enhanced Restrictions on Disclosures
PHI Disclosures (Section 13405(a)) HITECH Act requires CEs to comply with a
patient’s request not to use or disclose PHI if the disclosure Would be to a health plan for carrying
out payment or health care operations (not for treatment); and
PHI “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.”
6
Minimum Necessary
Limited Data Set and Minimum Necessary
HITECH Act (Section 13405(b)) requires CEs to limit PHI disclosures “to the extent practicable” to the “limited data set” as defined under HIPAA, or, if more information is “needed,” to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request, respectively”.
7
Minimum Necessary
Secretary guidance on what constitutes “minimum necessary” will be issued in next 18 months All the current exceptions to the
existing minimum necessary disclosure standard, including disclosures made for treatment purposes and disclosure required by law are retained
This is not applicable to de-identified PHI
8
Accounting to Patients
Accounting for PHI Disclosures (Section 13405(c))
Covered Entities are required by HITECH to account for disclosures of PHI to carry out treatment, payment and health care operations.
Disclosures must be accounted for during the three years prior to the request if an EHR was used
9
Proposed Rule
May 31, 2011 DHHS issued a proposed Rule to provide guidance on implementation of HITECH changes related to accounting
Comments were received until August 1, 2011
Proposed Rule
HHS expects to review comments and publish the Accounting of Disclosures Final Rule by the end of 2011, which means that compliance with the accounting of disclosures requirement would begin sometime during the summer of 2012
As of today’s date, the Rule has not been Finalized
Accounting to Patients
Effective Date The accounting requirement
effective date depends on when the CE received the EHR For EHR received as of January 1, 2009,
these accounting rules apply to PHI disclosures starting January 1, 2014
Proposed rule has effective Date of January 1, 2013
12
Sale of PHI Prohibitions
Sale of PHI ProhibitionsReceiving remuneration in exchange for any PHI of an individual is prohibited without obtaining a specific authorization from the individual (Section 13405(d))
Additional regulations will be issue within 18 months after February 17, 2009
Effective for exchanges of PHI occurring 6 months after the date of promulgation of the final regulations
13
Sale of PHI Prohibitions
• Seven exceptions to Sale of PHI Prohibitions.
• The sale prohibitions does not apply to: Public Health activities as defined under
HIPAA Research, up to the costs of preparation
and transmittal of PHI; Treatment of the individual Sale, transfer, merger or consolidation of
all or part of the Covered Entity and due diligence related
14
Sale of PHI Prohibitions A Business Associate’s duties to a
Covered Entity under a business associate agreement
Delivering a copy of the individual’s PHI pursuant to HIPAA section 164.524 and
Other PHI exchanges that the Secretary deems similarly “appropriate and necessary” as exceptions in the new regulations
Right of Access
Right of Access to PHI in EHR (Section 13405(e))
If a CE “maintains an electronic health record with respect to” the CE must produce a copy of that PHI in electronic
format upon request of a patient transmit the copy directly to an entity or
person designated by the individual But only if the patient’s request is “clear,
conspicuous, and specific” (45 CFR 164.524 - the Access of Individuals to PHI)
Charges cannot exceed the labor costs in responding to the request
16
September 14, 2011
Proposed Rule to permit Individuals Access to Directly receive lab results from Laboratory
Comments received through November 14, 2011
Restrictions on Marketing Communications Restrictions on communications of CE
and BA marketing to potential buyers or users (Section 13406)
Any communication that encourages the recipient to purchase or use a product or service is not considered a health care operation unless it is made:
18
Restrictions on Marketing Communications
to describe a product or service (or payment therefore) that is provided by, or included in a plan of benefits of, the Covered Entity making the communication, including communications about: “the entities participating in a health care
provider network or health plan network health plan replacements or enhancements
and health-related products or services available
only to a health plan enrollee that add value to, but are not part of, a plan of benefits”
Restrictions on Marketing Communications
Further exceptions: treatment of the individual; or case management or care coordination
for the individual, or to direct or recommend alternative
treatments, therapies, health care providers,
or settings of care to the individual
20
Restrictions on Marketing Communications The exceptions above will not be considered
health care operations if the CE receives “direct or indirect payment” in exchange for making such communications, unless: payment is for a communication regarding a drug
currently prescribed for the recipient of the communication and such payment is “reasonable in amount”
21
Restrictions on Marketing Communications
the communication is made by the CE after obtaining a valid authorization in accordance with HIPAA section 164.508 or
the communication is made by a BA of a CE, on behalf of such CE, and such communication is consistent with the applicable Business Associate Agreement
Fundraising Restrictions
A written communication for fundraising that is a healthcare operation under HIPAA section 164.501 must allow “in a clear and conspicuous manner” the recipient to opt out to receive any
communications opting out, is to be treated as a revocation
of authorization under section 164.508 Restrictions on marketing and
fundraising communications will apply after February 17, 2010
23
Business Associate Contracts Required for Certain Entities
More vendors to covered entities or business associates will now be deemed to be business associates
each organization that provides data transmission of protected health information and that requires access on a routine basis to such protected health information, such as Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or
each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record
24
Expanded Business Associates
Each organization “that provides data transmission of Protected Health Information to such entity or its Business Associate and that requires access on a routine basis to such Protected Health Information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing, Gateway, or each vendor that contracts with a Covered Entity to allow that Covered Entity to offer a personal health record to patients as part of its electronic health record and it is required to enter into a Business Associate Agreement.”
Business Associates
Must comply with certain HIPAA security standards Administrative safeguards Technical safeguards Physical safeguards
As a matter of law, must comply with privacy duties established by BA contract, including new duties established by HITECH
Covered entities will need to incorporate HITECH provisions into BA contracts
HHS will issue annual guidance on theseand other HIPAA security standards
Business Associates are now directly subject to specific requirements
Penalties directly apply to Business Associates
Increased Penalties
Enhanced Enforcement Activities
Increased Application and Enforcement
28
Application of Privacy Provisions and Penalties to BA
Proposed that Business Associate is responsible for subcontractors
Proposed Rule expands definition of Business Associate
Direct Enforcement
29
Enforcement Activities
Criminal Penalties
Covered Entities should be aware of the additional Penalties and the Enforcement Activities:
Enhanced Criminal Penalties
Willful neglect standard
31
Penalty Tiered Increase
Minimal levels of Penalties based on Intent:
$100 - $25,000 -Person did not know and would not have known
$1,000 - $100,000- Reasonable cause and not willful neglect
$10,000 - $250,000 Willful Neglect $50,000 -$1,500,000 Willful neglect
and not corrected
32
State Attorney General
Permits civil actions on behalf of patients May enjoin the actions; and Obtain damages not to exceed $25,000
annually
Attorneys fees may be recovered by State
Each State Attorney General has been Trained on HIPAA
33
Future Enforcement Tools
Additional funding for Enforcement Activities
In 3 years, the “individual harmed” may receive a % of the CMP collected from the offense
Audit Program
Federal Government Granted two Contracts related to Auditing and Enforcement Booze Allen KPMG
Audit Program
November – December 2011 Pilot Program 150 audits 20 initial audits Covered Entities Initially
Program will Expand to Business Associates
OCR Enforcement Results
HHS / OCR has investigated and resolved over 15,176 cases by requiring changes in privacy practices and other corrective actions by the covered entities
7,894 cases, OCR found no violation had occurred
OCR Enforcement Activities
514 complaints alleging a violation of the Security Rule.
323 complaints closed after investigation and appropriate corrective action.
As of December 31, 2011, OCR had 266 open complaints and compliance reviews
HITECH Penalties
$4.3 Million Fine Cignet
$1.0 Million Fine Mass General
$865,500 Fine UCLA
Security provisions of HIPAA now apply to a Business Associate of a Covered Entity in the same manner that such sections apply to the Covered Entity.
Business associates subject to same penalties as Covered Entities
Also applies to vendors of personal health records
Security and Notice Requirements
41
Security and Notice Requirements
Applies to any Covered Entity or BA/vendor that:
Accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured protected health information
Applies directly to vendors, regardless of whether a business associated agreement is executed
42
Security and Notice Requirements
Unsecured Protected Health Information means (Section 13402(h))
protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under this section
43
Security and Notice Requirements Obligation to notify triggers upon discovery of
a breach Discovery determined to be the first day on
which such breach is known or should reasonably have been known to such entity or associate to have occurred
Knowledge by any person that is an employee, officer or other agent of the entity or associate
44
Security and Notice Requirements Notice to Individual must include:
Identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during such breach
Brief description of what happened, including the date of the breach and the date of discovery of the breach
Description of the types of unsecured protected health information that were involved
45
Security and Notice Requirements
Steps the individual should take to protect themselves from potential harm resulting from the breach
Description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches
Contact procedures for individuals to ask question or learn additional information
Security and Notice Requirements
Notice to the Secretary by Covered Entities:
For breaches impacting 500 or more individuals, notify the Secretary immediately
For breaches impacting fewer than 500 individuals, maintain a log and notify the Secretary annually submit such log
47
Security and Notice RequirementsNotice Process
Notice Timing: Notice must be made without unreasonable delay
and in no case later than 60 calendar days after discovery of a breach
Delay allowed if a law enforcement official determines that a notification, notice or posting would impede a criminal investigation or cause damage to national security
Methods of Notice: Written notification by first class mail to individual Substitute notice process for insufficient or out of
date contact information Media notice information for 500 individuals or
more
48
“Safe Harbor”
Safe Harbor from Notification Requirement is to ensure the data is maintained in a “secure” manner.
June 2009 --Requested comments on the proposed form of “secure” data.
Encryption De-Identification
49
Georgia Breaches
The Neurological Institute of Savannah & Center of Spine July 2, 2011 63,425 Theft
University Hospital May 7, 2010 14,000 records Loss
HIPAA Transactions
HIPAA 5010
Update from HIPAA 4010
January 1, 2012
Delayed Enforcement by 3 Months
HIPAA Transaction Code Sets
HIPAA EFT Transaction
Remittance Advice Transaction
Proposed Rule January 12, 2012
Thank you
Michele MadisonPartner, Healthcare PracticeMorris, Manning & Martin, [email protected]
This presentation is provided as a general informational service to clients and friends of Morris, Manning & Martin LLP. It should not be construed as, and does not constitute, legal advice on any specific matter, nor does this message create an attorney-client relationship. These materials may be considered Attorney Advertising in some states. Please note, prior results discussed in the material do not guarantee similar outcomes.
53