hipaa omnibus final rule: understanding the risks and developing compliance strategy june 23, 2014...
TRANSCRIPT
HIPAA Omnibus Final Rule:Understanding the Risks and Developing Compliance Strategy
June 23, 2014
Presented by Jennifer Breuer, David Mayer and Sara Shanti
Sponsored by:
2
Program Outline
Background – HIPAA Omnibus Final Rule Business Associates
– New responsibilities for business associates
– Changes to Business Associate Agreements that must be in place as of September 23, 2014
– Recommended compliance strategies
Security Risk Analyses Enforcement OCR Audits
BACKGROUND
3
Background – HIPAA Omnibus Final Rule
4
Announced on January 17, 2013 Published in Federal Register on January 25, 2013
– http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
Effective on March 26, 2013 Initial Compliance Date: September 23, 2013
– HHS began enforcing Final Rule on the Initial Compliance Date
Final Compliance Date: September 23, 2014– If existing BAAs were not renewed or modified between March 26
and September 23, 2013, they will remain compliant until the earlier of:
• The date the BAA is renewed or modified after September 23, 2013; or
• September 22, 2014
5
BUSINESS ASSOCIATES
6
Business Associates (BAs)
The HIPAA Omnibus Final Rule made the following key changes to Business Associates:
– Expands definition of BAs
– Expands compliance obligations applicable to BAs
– Explains scope of direct liability for violations applicable to BAs
– Identifies required changes to BA agreements
7
Business Associates: Definition (cont’d)
BAs are still BAs:– A person or entity who creates, receives, maintains, or transmits
PHI on behalf of a Covered Entity
• Change reflected in the addition of “maintains”
Definition of BA now specifically includes: – Health Information Organization, E-Prescribing Gateway, or other
person who provides data transmission services with respect to PHI to a Covered Entity and who requires access to such PHI on a routine basis
– A person who offers a personal health record to one or more individuals on behalf of a Covered Entity
• This does not include PHR vendors that offer PHR directly to an individual and not on behalf of a Covered Entity
8
Business Associates: Definition (cont’d)
Subcontractors are now BAs:– Definition of “business associate” now includes a “subcontractor
that creates, receives, maintains, or transmits [PHI] on behalf of the business associate”
• “Subcontractor” is a person to whom a BA delegates function, activity or service, other than in the capacity of a member of the workforce of such BA
• BA does not need to provide Subcontractor with PHI directly
– A Covered Entity can provide PHI directly to a BA’s subcontractor without the subcontractor being the Covered Entity’s direct BA
Note: a BA’s disclosure of PHI for its own management, administration and legal responsibilities may not create a subcontractor relationship with the recipient
9
Responsibilities of Business Associates
BAs are governed by: – HIPAA
• Most Security Rule standards and implementation specifications extend directly to BA
• All relevant Privacy Rule provisions extend directly to BA
• Legal obligations and enforcement risks
– Contracts
• Terms of the BAA continue to govern BAs
• Terms of Master Services Agreements, Confidentiality Agreements, etc.
– Vicarious liability
• Common law
• BAs may be “agents” of Covered Entity
10
Responsibilities of Business Associates (cont’d)
BAs are now directly liable for: – Security Rule compliance
• Complying with administrative, physical, and technical safeguards and documentation requirements
• BAs must conduct a risk analysis of potential security risks and vulnerabilities
– Uses and disclosures of PHI only as permitted:
• Under BAA – BA must comply with terms of BAA
• Under HIPAA – BA cannot use PHI in a manner that would be impermissible by a Covered Entity
11
Responsibilities of Business Associates (cont’d)
BAs also directly liable for:– Failing to notify Covered Entities of breaches of unsecured
PHI
– Failing to disclose PHI when required by HHS to determine compliance
– Failing to disclose PHI to Covered Entity or individual to satisfy an individual’s request for electronic copy of PHI
– Failing to make reasonable efforts to limit use and disclosure of PHI to minimum necessary
– Failure to enter into BAAs with subcontractors
12
Responsibilities of Business Associates (cont’d)
A BA that becomes aware of noncompliance by a subcontractor must:
– Take reasonable steps to cure the breach or end the violation
– If steps are unsuccessful, terminate the relationship
Otherwise, the BA may face liability for its own noncompliance with BA requirements
BUSINESS ASSOCIATE AGREEMENTS
13
Business Associate Agreements
14
BAAs must require BAs to:– Use appropriate safeguards for electronic PHI
– Report to Covered Entity use or disclosure of PHI not provided in the BAA, including:
• Breaches of unsecured PHI
• Any security incident
– Ensure that “subcontractors” agree to the same restrictions and conditions as the BA with regard to PHI
– If a BA carries out a Covered Entity’s obligation under HIPAA, comply with those HIPAA requirements that would apply to Covered Entity in the performance of such obligation
Business Associate Agreements (cont’d)
15
Other key changes to BAAs (since last modified in June 2006):
– BA must comply with the Security Rule
• Risk Analysis
• Safeguards
• Reporting
– BA must maintain and make available information required to make an accounting of disclosures
Sample BAA– HHS released a form of BAA on January 25, 2013
– http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
16
Business Associates and Subcontractors
Must have BAAs in place, even though BAs are directly liable under many provisions of HIPAA
BAs must enter into BAAs with their subcontractors– BA may disclose PHI to a subcontractor only with a BAA
– No BAA is required between Covered Entity and the BA’s subcontractor
Each BAA in the chain must be at least as stringent than the one above it regarding the uses and disclosures of PHI
– Extension of rules not limited to “first tier” contractors, but to all downstream contractors
BA, as opposed to Covered Entity, is responsible for responding to any noncompliant subcontractors
17
Other BAA Terms and Trends
Industry trends in BAAs– BA Indemnification
• Specifically, related to breaches that require costly notification
– Permit Aggregation
– Permit De-identification
– Acknowledgements of BA obligations under HIPAA
– Liability could attach under agency theory
BUSINESS ASSOCIATES:COMPLIANCE STRATEGIES
18
Compliance Strategies
19
Do not aim to “overachieve”– HHS looks to the BAA and internal policies for compliance
– Where internal policies are more restrictive than HIPAA standards, HHS may determine noncompliance on the basis of policies rather than legal requirements
20
Compliance Strategies
More covered entities are using BAAs to transfer obligations
– Some highlight BA HIPAA obligations
– Some insert additional compliance requirements
– Some use BAAs to limit the covered entity’s own inability
• Indemnification clauses
• Reference to MSA clauses
• Insurance requirements
21
SECURITY RISK ANALYSES
22
Security Risk Analyses
HIPAA requires BAs to conduct the same security risk analysis that a Covered Entity must undertake
Covered Entities must:– Conduct an accurate and thorough analysis of the potential
risks and vulnerabilities to the confidentiality, integrity and availability of the electronic protected health information held by the organization
23
Security Risk Analyses
OCR believes Risk Analyses are best practices in the health care industry
Covered Entities have been subject to this Security Rule requirement since April 2003
– Enforced by OCR since July 2009
In the case of a breach or other investigation, OCR will request a copy of a CE Risk Analysis:
– Risk Analysis should be current
• Should be reviewed/revised every 2 or 3 years
– Risk Analysis should reflect changes in operations
• E.g., implementation of new systems
– Risk Analysis should address mobile devices
24
Security Risk Analyses
Risk Analysis should be scalable and flexible– Does not have to be a single document
Risk Analysis can be a useful business tool for determining the IT strengths and weaknesses of an organization
– More and more CEs and other contractors are wanting to review their vendors’ security risk analyses
Risk Analysis requires an organization to consider what administrative, physical and technical safeguards it has in place to protect PHI
25
Elements of a Risk Analysis
Identify ePHI within the organization– All systems, programs and applications used to create,
maintain, receive and transmit ePHI
Identify all external sources of ePHI– Third-party vendors, consultants and subcontractors
Review human and environmental threats– Current Security Measures
– Likelihood of Threat
– Impact of Threat
Document all of the above
26
Elements of a Risk Analysis
Vulnerability– A system weakness that could result in a breach
Threat– The potential for a person or thing to exercise a vulnerability
Risk– The impact considering the probability of a given vulnerability
and threat
The Risk Analysis should identify each Vulnerability, Threat and Risk as High, Medium or Low
27
GOVERNMENT ENFORCEMENT
Enforcement Process
28
29
Enforcement Trends
30
Recent Enforcement Actions
Columbia University/New York Presbyterian Hospital (2014)– Impermissible disclosure of ePHI of 6,800 patients to Google/other
search engines
• Disclosed PHI included patient status, vital signs, medications and lab results
• Computer server with access to ePHI was not properly configured
– Failure to conduct accurate and thorough risk analysis
– HHS investigation found:
• Failure to implement processes for assessing and monitoring all IT systems that accessed PHI
• Failure to implement policies and procedures for authorizing access to databases containing PHI
• Failure to follow policies on information access management
– $4.8 MM resolution payment to HHS; largest settlement to date
31
Recent Enforcement Actions (cont’d)
Concentra Health Services (2014)– Unencrypted laptop stolen from PT department
– HHS investigation found:
• Failure to adequately remediate and manage its identified lack of encryption
– Risk analysis did not address why encryption was not reasonable and appropriate and what other measures would be taken to secure PHI
• Failure to implement policies and procedures to prevent, detect, contain and correct security violations
– $1.7 MM resolution payment to HHS
32
Recent Enforcement Activities (cont’d)
Shasta Regional Medical Center (2013)– SRMC responded to media allegations of Medicare fraud by providing
information about medical services provided to patient without authorization
• Disclosures made to California Watch, The Record Searchlight and The Los Angeles Times
– SRMC also revealed the patient’s PHI to its entire workforce and medical staff without authorization
– HHS investigation found:
• Failure to safeguard PHI
• Impermissible use of PHI
• Failure to sanction appropriate workforce members pursuant to internal sanctions policy
– $275,000 resolution payment to HHS
33
Recent Enforcement Activities (cont’d)
Phoenix Cardiac Surgery, P.C. (2013)– Practice published patient scheduling information to publicly accessible,
Internet-based calendar and transmitted ePHI from Practice’s e-mail account to workforce members’ personal e-mail account
– HHS investigation found:
• Failure to provide and document training of workforce members on use and disclosure of PHI
• Failure to implement administrative and technical safeguards to protect ePHI
– No Security Official identified
• Failure to obtain satisfactory assurances from business associates that they would appropriately safeguard ePHI
– No Risk Analysis performed
– No BAA in place with vendor that provided Internet-based calendar
– $100,000 resolution payment to HHS
34
Recent Enforcement Activities (cont’d)
Future Enforcement– OCR anticipates more aggressive enforcement
• Attention on risk analyses
• Mobile devices
– Monetary settlements
– Corrective Action Plans
Common Law– Post-breach private actions
• State jurisdictions
• Standards of harm vary (including lack thereof)
35
OCR AUDITS
36
2012 Implementation of Pilot Audit Program
Audit Protocol Design
• Create a comprehensive, flexible process for analyzing entity efforts to provide regulatory protections and individual rights
Resulting Audit Program
• Conducted 115 performance audits from November 2011 through December 2012 to identify findings with regard to adherence to standards. Two phases:• Initial 20 audits tested original audit protocol• Final 95 audits used modified audit protocol
37
Audit Program Likely to Begin Again in 2014
Pilot Program is currently under review for effectiveness Lessons from Pilot Program will be implemented in future program
Future audits likely to include CEs and BAs– 1,200 candidates identified as potential audit targets
• Two-thirds are CEs; one-third are BAs
– Number of actual audits likely to be much less than 1,200
Future audits likely to focus on Security Rule compliance
– Failure to perform a thorough risk analysis is the biggest source of Security Rule violation
38
Understanding HIPAA Audits
NOT an investigation Random
– Does NOT indicate that a complaint has been filed or that OCR is suspicious about the audit target
NOT intended to be confrontational Covered Entities (and BAs) need to be prepared for Audits
– Provide prompt and complete cooperation during Audit
– Conduct regular self-audits to prepare (at least annually)
– DOCUMENT compliance activities; make sure documentation is organized and accessible
39
Who Can Be Audited?
Any Covered Entity
For Pilot Program, OCR reviewed range of types/sizes• Health plans of all types• Health care clearinghouses• Individual and organizational providers
40
What to Expect During an Audit
Notification letter– Auditee should confirm its authenticity
Letter will request documentation (10-day turnaround) Letter will provide notice of a site audit (30 – 90 days from date of letter) Site Visit
– Interview of key personnel
– Observations of processes and operations
Receipt of Draft Report/Opportunity to Respond (10 days)– OCR will not see draft report
Issuance of Final Audit Report– OCR will receive copy of final report, which incorporates the steps the auditee has
taken to resolve any compliance issues identified by the audit and describes any best practice
Audit Protocol available on OCR’s website
41
Questions?
42
Contact Information
Jennifer Breuer, PartnerDrinker Biddle & Reath LLP
(312) [email protected]
David Mayer, Senior Advisor
Drinker Biddle & Reath LLP(312) 569-1060
Sara Shanti, AssociateDrinker Biddle & Reath LLP
(312) [email protected]
Or, visit our website for more information at:www.DrinkerBiddleHealthCare.com
43Footer (edit using the slide master) |
Thank you to our sponsor
Iatric Systems Business Associate Manager™ manages the risk and workflow necessary for organizations to ensure due diligence with their business associate relationships. By monitoring and
managing the risk of business associate agreement and providing alerts when agreements need updating. Business Associate Manager™ helps organizations protect patient privacy and build trust.