impact of hitech act on hipaa and the interface new hampshire privacy law cinde warmington shaheen...
TRANSCRIPT
Understanding HITECH Impact of HITECH Act on HIPAA and the
interface New Hampshire Privacy Law
Cinde WarmingtonShaheen & Gordon, P.A.107 Storrs StreetP.O. Box 2703Concord, NH 03302-2703(603) [email protected]
2
Understanding HITECH
This presentation is for informational purposes only. It does not constitute legal advice. You should seek the advice of counsel if you need legal assistance.
3
HITECHThe Health Information Technology for Economic and
Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009.
Contains provisions affecting HIPAA including breach notification requirements.
Interim final rule on breach notifications was issued August 24, 2009 effective September 23, 2009.
74 Fed. Reg. 42740.Sanctions will not be imposed for failure to comply
with notification requirements for breaches which are discovered before February 22, 2010.
4
Breach Notification RequirementsPrior to HITECH, there was no affirmative duty
under HIPAA to notify an individual if protected health information (PHI) was breached unless the breach involved “personal information” as defined under NH law and notification was required under RSA 359-C:20;
HIPAA does include a duty to mitigate harm (which may require notification of the individual); and
HIPAA does include a duty to keep an accounting of certain disclosures which individuals can request;
But there was no explicit duty to notify individuals of a breach.
5
Breach Notification RequirementsHITECH imposes an affirmative duty to notify
each individual whose “unsecured PHI” is breached.
“A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of a breach.”
45 CFR §164.404
6
What is a breach?Breach means the acquisition, access, use, or
disclosure of protected health information not permitted under HIPAA which compromises the security or privacy of the PHI.
“Compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the individual.”
45 CFR § 164.402(1)(i)
7
What is “unsecured” protected health information?PHI that is not rendered unusable,
unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance issued by Secretary of DHHS.
45 CFR § 164.402Approved technologies/methodologies
includeEncryption Destruction
8
EncryptionMeans “the use of an algorithmic process to
transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR §164.304.
Requires that the confidential process or key has not been breached.
9
EncryptionValid encryption processes: “Data at rest” are
set forth in NIST Special Publication 800-111.Valid encryption processes for “data in
motion” must comply with the Federal Information Processes (FIPS 140-2).
Available at http://www/csrc.nist.gov
10
Valid Destruction Processes:Paper, film or other hard copy media must be
shredded or destroyed in such a way that the PHI cannot be read or otherwise reconstructed.
Electronic media must be cleared, purged or destroyed so that PHI cannot be retrieved consistent with NIST Special Publication 800-88
Available at http://www.csrc.nist.gov
11
Is there a breach?If the PHI is encrypted or destroyed through
a means specified in DHHS guidance, disclosure of the PHI will not result in a breach.
…and, therefore, no notification is required.
12
Is there a breach?Does the improper acquisition, access, use or
disclosure compromise the security or privacy of the PHI?
In other words, does it impose a significant risk of financial, reputational or other harm to the individual?
The covered entity (or business associate) must perform a risk assessment.
13
Factors to be considered in performing risk assessment
Who used the PHI? Who received the PHI?Was the disclosure to another covered entity?Was there evidence that the information was
accessed?What was the nature of the information
disclosed?Was the covered entity able to take immediate
steps to mitigate the harm?
14
Examples from preamble to Interim Final Rule:If disclosure was to another covered entity, there
may be less risk of harm to the individual;If a lost or stolen laptop is returned and testing shows PHI was not accessed, the risk of
harm is lessened;If the PHI included only limited information not
likely to cause harm (e.g. patient’s name and name of hospital where patient was treated);
If the covered entity obtains immediate assurances from recipient that PHI will not be disclosed and will be destroyed, risk of harm may be lessened.
15
Risk AssessmentEach risk assessment will be individual and
fact specific;The covered entity or business associate
must document the risk assessment, the factors considered to support conclusions;
The burden of proof is on the covered entity or business associate to show no breach has occurred;
If no risk of harm then no breach notification.
16
Breach notification requirementsTimelinessIf the covered entity determines there is a
breach, each individual must be notified without unreasonable delay but no later than sixty (60) days after discovery.
If a business associate determines there is a breach, it must notify the covered entity.
17
Breach notification requirementWhen is the breach discovered?On the first day the covered entity or
business associate knows of the breach or would have known if it had exercised reasonable diligence.
18
Breach notification requirementsCovered entity’s written notification of the breach must
include:Brief description of what happened;Date of the breach and date of discovery of the breach, if
known;Description of information disclosed;Any steps individuals should take to protect themselves;Brief description of what the covered entity is doing to
investigate the breach, mitigate any harm and prevent future breaches; and
Toll free number, email address, website or postal address where individuals can receive additional information.
19
Notice must be written in plain language:Must take reasonable steps to ensure that
meaningful access for individuals with Limited English Proficiency (may have to translate).
Must ensure effective communications with individuals with disabilities (may require notice be made in Braille, large print or audio).
20
Methods of NotificationWritten notice must be:By first class mail;To last known address or by email if
individual agrees to electronic notice*;Must notify next of kin or personal
representative if individual is deceased and address is known.
*Covered entities may want to start obtaining this consent at time of patient registration.
21
Substitute Notice:If contact information is insufficient or out-of-
date, substitute notice must be provided.Substitute notice is not required if person is
deceased and there is insufficient contact information for next of kin or personal representative.
22
Substitute NoticeIf there is insufficient or out-of-date contact
information for fewer than 10 individuals, then substitute notice can be provided by an alternative form of written notice, telephone or other means.
23
Substitute NoticeFrom a practical perspective what does this mean?If covered entity does not have a valid street
address but does have an email address, the email can be used and without individual’s consent.
If the covered entity has a phone number and not an email or street address, the individual can be notified by telephone.
It may not be immediately clear whether there are more or less than ten individuals with insufficient contact information (returned mail may be first notice that info is out-of-date).
24
Substitute Notice If there is insufficient or out-of-date contact
information for 10 or more individuals, substitute notice shall be either:
Conspicuous posting for 90 days on home page of covered entity’s web-site;
Conspicuous notice in major print or broadcast media in geographic areas where affected individuals may reside;
Must include a toll-free number where an individual can learn whether their information may have been breached.
25
Substitute Notice Practical Concerns regarding the cost of
providing notice with toll-free numberSince public notice will not identify the 10 or
more affected individuals, notice may prompt a deluge of calls from unaffected individuals at a substantial cost to covered entity.
DHHS notes that the toll-free number is statutorily required.
DHHS suggests that notice can include another means of determining if the person is affected by the breach.
26
Notice in Urgent SituationsIn addition to written notice, the covered
entity may provide notice by telephone if it is urgent because of possible, imminent misuse of PHI.
27
Breach involving more than 500 residentsFor breaches involving more than 500 residents
of a State or jurisdiction.Covered entity must notify prominent media
outlets in the State or jurisdiction.Notice must be without reasonable delay but no
later than sixty (60) days after discovery of the breach.
Notification must include the same information that would be given to the individuals (except would not identify the individuals).
Notice would most likely be in the form of a press release.
28
Notification to the Secretary of DHHSFor breaches involving 500 or more
individuals, must notify DHHS at the same time as individuals are notified.
For breaches involving less than 500 individuals, the covered entity must maintain a log of breaches and submit annually to Secretary within 60 days after the end of the calendar year.
29
AdministrationCovered entity must train its workforce;Covered entity must have appropriate
sanctions against workforce members who fail to comply with its privacy policies;
Covered entity must change its policies and procedures.
Covered entity must revise its Business Associates Agreements
30
Notification by Business AssociateBusiness associate must notify covered entity
of a breach without unreasonable delay but not later than sixty (60) days after discovery.
Notification shall include the identification of individuals whose PHI has been breached.
Business associate will provide covered entity with additional information needed for notice as required above or promptly thereafter as information becomes available.
31
NH State Law RSA 359-C:20Requires notification of individuals in the
event of a security breach of computerized personal information if there is a determination that misuse of the information has occurred or is likely to occur or if a determination cannot be made.
Health care providers must also notify the Attorney General’s office.
32
NH State Law RSA 359-C:20Personal information is more limited than PHIPersonal information includes:
o An individual’s first name or initial and last name in combination with any of the following data elements when the name or the data element is not encrypted:
• Social Security Number;• Driver’s license number or other government ID number
or• Account number, credit card number, or debit card
number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
33
NH State Law RSA 359-C:20Notification Requirements
Written Notice Electronic (if that is the primary means of
communication with individuals) Telephonic notice (must keep a log)
HIPAA require written notification.
34
NH State Law RSA 359-C:20Substitute Notice
If cost of notice would exceed $5000*, or Affected class of individuals exceed 1000*; or There is insufficient contact information to provide
notice; theno Substitute notice can be given via:
Email ; Conspicuous posting on web-site; or Notification of major statewide media.
*HIPAA breach notifications requirements will preempt.
35
NH State Law RSA 359-C:20Notice includes:*
General description of incident; Approximate date of breach; Type of information involved; and Telephonic contact information where affected person
can call.* Notice will also need to comply with HIPAA
requirements.If more than 1000 are affected then, must also
notify all consumer reporting credit agencies, without unreasonable delay (but notice is not required to include names of affected persons).
36
HIPAA/ State Law InterfaceSee decision matrix attached as pdf
document.
37
Accounting for DisclosuresA new requirement to account for disclosures
made for treatment, payment and healthcare operations for covered entities using an EHR.
Effective Dates: By 1/1/2014 for EHRs acquired as of 1/1/2009. By the later of 1/1/2011 or the date the EHR is
acquired for EHRs acquired after 1/1/2009.
Individuals entitled to receive an accounting for such disclosure for a period of three years.
This accounting is of “disclosures” and not “uses”. It is not the same as an audit trail.
38
“Minimum Necessary”Covered entity must limit disclosure of PHI to
a limited data set rather than minimum necessary to the extent practicable – this will sunset when guidance concerning “minimum necessary” is issued.
Secretary shall issue guidelines on what constitutes minimum necessary by August 10, 2010.
39
Requested RestrictionsCurrently an individual can request
restrictions on the use and disclosure of PHI but covered entity does not have to agree to such requests.
Under HITECH, covered entities must comply with a request if:The disclosure is to a health plan for
payment or healthcare operations; andThe PHI pertains to an item or service for
which the healthcare provider has been paid out-of-pocket in full.
Effective Feb. 2010.
40
Access to Info in EHRIndividual has a right to receive information
stored in a EHR in an electronic format.If directed by an individual, covered entity
must transfer a copy to someone designated by the individual.
Charge cannot be greater than labor costs for responding to request.
Effective Feb. 2010.
41
Marketing and Fundraising- HIPAA Changes (Effective 2/2010)If remuneration is received, an authorization is
required except in very limited circumstances.Marketing communications are not defined as
health care operations except for treatment, case. management, care coordination, alternative therapies, providers or care settings or descriptions of covered entities own services.
Fundraising communications will need to include a clear and conspicuous opportunity to opt out.
42
Marketing Changes –NH State Law (Effective 1/1/ 2010)Under HB 619 -- Marketing means: (1) To make a communication
about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made by the individual’s health care provider:
o For treatment of the individual;o For case management or care coordination for the individual;o To direct or recommend alternative treatments, therapies, health care
providers or settings of care.o For treatment-related reminders or health promotion activities by health
care providers.
(2) An arrangement whereby the health care provider discloses PHI in exchange for payment so that third party can make a marketing communication about its own products/services.
An authorization is required for any use or disclosure of marketing information.
To the extent State law is contrary to HIPAA and more protective of privacy, State law will preempt HIPAA.
43
Fundraising-NH LawFundraising communications must include a
clear and conspicuous opportunity to opt out of receiving such communications. Notice must be provided:
o 60 days prior to any fundraising communication; oro In the Notice of Privacy Practices if the notice is
given prior to any fundraising communication;o In any subsequent fundraising communications.
Once a person opts out, it is treated as a revocation of an authorization.
44
Marketing and Fundraising- NH LawEnforcement: An aggrieved individual may
bring a civil action under RSA 332-I:4 or 332-I:5 and, if successful, shall be awarded special or general damages of not less than $1000 for each violation, for each violation, and costs and reasonable legal fees.
The interface between state and federal law still to be determined.
45
Prohibition on the Sale of EHR/PHIHITECH prohibits a covered entity from
receiving directly or indirect remuneration in exchange for PHI unless the person provides a valid authorization.
Exceptionso Pubic health activities;o Research ( price is for preparation and transmittal
of data)o For treatment of the individualo For health care operations associate with the
sale/merge/consolidation of the covered entityo Payment by the covered entity for the services of a
business associate;o To provide individual a copy of record
46
Prohibition on the Sale of EHR/PHISecretary to promulgate regulations not later
than 18 months after enactment.Prohibition becomes effective 6 months after
regualtions are promulgated.
47
Business Associates Breach notification requirements apply.Security Rule Sections 45 CFR §§ 164.308,
310, 312, 316 apply.HIPAA provisions governing use and
disclosure of PHI apply to business associates.
Civil and criminal penalties now apply to business associates.
Business Associates will need to maintain an accounting of any disclosures of EHR.
48
HIPAA Enforcement and Penalties
Violation category – Section 1176(a)(1)
Each violation All such violations of an identical provision in acalendar year
(A) Did Not Know… $100-$50,000 $1,500,000
(B) Reasonable Cause… $1,000-$50,000 $1,500,000
(C)(i) Willful Neglect-Corrected… $10,000-$50,000 $1,500,000
(C)(ii) Willful Neglect-Not Corrected…
$50,000 $1,500,000
CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE
49
HIPAA Enforcement and PenaltiesReasonable cause means circumstances that
would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the [HIPAA] provision violated.
Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the [HIPAA] provision violated.
50
HIPAA Enforcement and PenaltiesHIPAA imposes a minimum penalty amount in
each categoryPreviously, a covered entity would have an
affirmative defense if it did not know or reasonably would not have known of the violation;
HITECH removes this affirmative defense;However, if the violation is not due to willful
neglect and is corrected within 30 days of discovery (or the date covered should have know by exercising reasonable diligence), this will be an affirmative defense
51
HIPAA Enforcement and PenaltiesSecretary still has discretion to limit or
waive penalties in cases due to reasonable cause and not willful neglect.
No later than 3 years after enactment, the Secretary shall establish a methodology under which an individual harmed may receive a percentage of the penalties collected.
52
Enforcement by State Attorneys GeneralState Attorneys General may bring a civil
action on behalf of residents of the State who have been or are threatened or adversely affected by any person violating the statute:
o State may seek equitable injunctive relief.o Damages calculated by multiplying $100 times the
number of violations.o Total amount of damages for identical violations in a
calendar year is $25,000.o State may seek payment of attorney fees.