hipaa update: the omnibus rule kathleen stillwell, mpa/hsa,rn,cphrm patient safety risk management...

HIPAA Update:The Omnibus Rule

Kathleen Stillwell, MPA/HSA,RN,CPHRM

Patient Safety Risk Management Account Executive

Matthew L. Kinley, Esq., Partner - Tredway Lumsdaine & Doyle LLP

Disclosure

We would like to disclose that Patient Safety/Risk Management Specialists, as employees of The Doctors Company, have a financial interest in The Doctors Company, an organization that may have a direct interest in the subject matter of this CME presentation.

Also, participating attorneys are often retainedby The Doctors Company for defense of malpractice claims.

HIPAA Update: The Omnibus Rule/ 2

Objectives

• Describe new limits on uses/disclosures of PHI• Recognize Business Associates/subcontractors• Explain increased patient rights• Outline action steps for compliance with the 2013

Omnibus Rule


I never had a policy; I have just tried to do my very best each and

every day. Abraham

Lincoln 1809-1865


HIPAA Violations on the Rise…

• In the last three years, over 70,000 HIPAA violation complaints filed

• Majority of breaches: theft, loss, or unauthorized access or disclosure (i.e. by employees)

• Greatest vulnerability in mobile devices: phones, tablets, laptops, desktops


HIPAA in a HITECH World: HIPAA Violations on the RiseSmart Data Collective, March 25, 2013


HIPAA Violations on the Rise… (continued)

• Vulnerabilities tend to be low-tech vulnerabilities, not high-tech vulnerabilities

• One-fourth of reported breaches frompaper records

• Paper records are as vulnerable, or more, than electronic records


HIPAA in a HITECH World: HIPAA Violations on the RiseSmart Data Collective, March 25, 2013

HIPAA Fines…

• Alaska DHHS fined $1.7 million USB device stolen from employee vehicle

• Cignet Health fined $4.3 million Failure to provide medical records to 41 patients

• UCLA fined $865,500 Snooping employees

• CVS fined $2.25 million Disposal of PHI in trashcans

• Blue Cross of Tennessee fined $1.5 million Unencrypted laptops stolen


The Final Omnibus HIPAA Rule

• Effective March 26, 2013• Enforcement begins September 23, 2013• Modifies privacy, security, and enforcement rule

of HIPAA• Modifies Breach Notification Rule of Health

Information Technology for Economic and Clinical Health Act (HITECH)


What Will It Cost?

…total cost of compliance with the rule’s provisions is estimated to be between $114 million and $225.4 million in the first year of implementation and approximately $14.5 million annually thereafter…


www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdfw.hhs

Who Do the Changes Affect?

• HIPAA Covered Entities: Healthcare providers, health systems, health

plans, clearinghouses

• HIPAA Business Associates and subcontractors: Vendors who contract with Covered Entities and access

protected health information (PHI)

• Examples: Technology vendors, service organizations, accountable

care organizations, third party administrators


Key Changes…

• Business Associate (BA) definition expanded• Liability and obligations of BA expanded• Marketing, fundraising, sale of PHI• Change in Notice of Privacy Practices• Patient right to restrict disclosure to health

plan if visit is paid in cash and patient requestsa restriction

• Enhanced rights for individuals to receive electronic copies of PHI


Key Changes…(continued)

• Health plans prohibited from disclosing genetic information for underwriting purposes

• Modify individual authorization and requirements to facilitate research and disclosure of child immunization proof to schools

• Enable access to decedent information by family members or others

Increased penalties for noncompliance


Key Changes…(continued)

• Changes to enforcement rules HHS may impose civil monetary penalties up to $1.5

million for all violations of an identical HIPAA requirement in a calendar year

Omnibus Rule eliminates an exception under previous rule that shielded Covered Entities from civil penalties stemming from conduct of their BA


Privacy Notice


Privacy Notice Changes…

• Inclusion of use/disclosure of PHI for marketing, selling PHI, disclosure of psychotherapy notes

• Inclusion of use/disclosure of PHI for fundraising, and note patients’ right to opt out of such useand disclosure

• Covered Entity health plans intending to usePHI for underwriting purposes, must give notice and advise individuals that Covered Entity is prohibited from using genetic information for underwriting purposes


Privacy Notice Changes… (continued)

• Covered Entity has legal obligation tonotify individuals if their PHI is affected bysecurity breach

• Inclusion of description of individual’s rightto request restrictions of disclosures to health plans for payment or healthcare operations regarding services for which individual haspaid in full out of pocket


Privacy Notice Changes… (continued)

• Place updated Notice of Privacy Practice on Covered Entity Web site if applicable

• Elimination of requirement to include appointment reminders, treatment alternatives, health related benefits or services, but it is not required tobe removed


Notification of Material Change to Privacy Notice...

• HHS modified the method by which health plans are to notify participants of material changes to their notices of privacy practices

• Health plans that post their notices on their Web sites may prominently post changes or their revised notices

• In their next annual mailings, health plansmust provide revised notices, or informationabout material changes and how to obtainrevised notices


Notification of Material Change toPrivacy Notice... (continued)

• Health plans that do not post their notices on their Web sites must provide revised notices, or information about the material changes and how to obtain the revised notices, to participants within 60 days of the revisions

• Health plans are still required to remind participants of availability of privacy notices at least once every three years


Business Associates


Business Associate: Definition Expanded

• Any subcontractor that creates, receives, maintains, or transmits PHI on behalf ofBusiness Associate

• Any person who offers a personal health recordto individuals on behalf of a Covered Entity

• Can be a subcontractor even if indirect relationship with Covered Entity

Health information organizations e-prescribing gateways Any person who provides data transmission services


Liability and Obligations of Business Associate…

• Business Associates and subcontractors with access to PHI–liable for compliance with HIPAA Privacy and Security Rules

• Business Associates and subcontractors may be assessed civil monetary penalties and criminal penalties for violations

• Business Associates and direct subcontractors must enter Business Associate Agreements all the way “down the chain” of the information flow


Liability and Obligations of Business Associate….(continued)

• Business Associate Agreements must be updated to include specific new provisions

• Existing agreements, entered before January 25, 2013, may operate until agreement is amended/renewed, or until September 22, 2014, whichever is earlier

• Covered Entities and Business Associates will need to modify agreements and allocate risk through use of insurance requirements and indemnity provisions


Revised Breach Notification Rule


Under previous rule, breaches were not required to be reported unless they posed a “significant risk of reputational, financial, or other harm” to individuals.


Revised Breach Notification Rule…

• Presumption of reportable breach• “Compromised” information• Omnibus Rule eliminates the “significant

risk of harm” standard as the threshold forbreach notification


Revised Breach Notification Rule…(continued)

• New standard presumes reportable breach occurred unless Covered Entity or Business Associate determines a low probability PHI was compromised by unauthorized use or disclosure

• Covered Entities and Business Associates must revise breach notice policies and procedures to reflect new breach analysis standard


Marketing, Fundraising,

Sale of Protected Health Information


Marketing…

• Omnibus Rule imposes stricter limitations on marketing communications made in exchange for financial remuneration

• Written communications promoting purchase or use of third party products or services, require prior individual authorization if Covered Entity receives financial remuneration in exchange for sending the communication


Marketing…(continued)

• Limited exceptions permit: Face-to-face marketing communications Certain promotional gifts Refill reminders if remuneration reasonably related to

cost of communication


Fundraising…

• Omnibus Rule provides limited set of circumstances for Covered Entity to use and disclose certain PHI for fundraising withoutan authorization

• Covered Entities must provide an individual with clear and conspicuous opportunity to opt-out of receiving future fundraising communications


Sale of Protected Health Information…

• Omnibus Rule prohibits sale of PHI unless individual has given authorization

• Authorization must acknowledge Covered Entity will receive remuneration in exchange for PHI


Increased Patient Rights


Increased Patient Rights

• Patient access• Who can receive?• Can patient restrict access?• Notice of privacy practice for patients


Increased Enforcement


• Increased penalties• “Willful Neglect”• Procedure for enforcement• Covered Entities and Business Associates• Agency liability


Increased Enforcement

Action Items


Action Items

• Revise policies and procedures• Revise policy and security policies• Revise privacy notice• Revise breach notification requirements• Revise Business Associates contracts/agreements• Encryption• Staff training


OCR Complaint for HIPAA Violation

• Describe briefly what happened. How and why do you believe your (or someone else’s) health information privacy rights were violated, or the privacy rule otherwise was violated?

• Please be as specific as possible• Attach additional pages as needed


http://www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaintform

Next Steps


• Revise Business Associate Agreements• Evaluate existing contractor arrangements to

determine whether modifications or new agreement provisions are necessary, including to existing Business Associate Agreements

• Revise HIPAA Policies and Procedures, including modifications to address response to potential breaches involving unsecured PHI


What Actions Are Required?

What Actions Are Required? (continued)

• Update and redistribute Notices of Privacy Practices by September 23, 2013

• Analyze current arrangements for compliance with restrictions on sale of PHI, marketing, and fundraising restrictions

• Train employees on updated obligations


The key to wisdom is knowing all the right questions.

John Simone, Sr.


Mission …


Our Mission Is to Advance, Protect, and Reward the

Practice of Good Medicine

For additional Patient Safety information, please visit our Web site at:

www.thedoctors.com800-421-2368

http://www.thedoctors.com/

hipaa update: the omnibus rule kathleen stillwell, mpa/hsa,rn,cphrm patient safety risk management...

Documents