1 HIPAA Regulations Update HIPAA Regulations Update What Covered Entities And Business Associates...

11

HIPAA Regulations HIPAA Regulations UpdateUpdate

What Covered Entities And Business Associates

Actually Have To Do And When They Have To Do It

HIPAA COWHIPAA COWFall Conference, October 15, 2010Fall Conference, October 15, 2010

Sarah Coyne and Tom ShorterSarah Coyne and Tom Shorter

22

Breach NotificationBreach Notification

We talked about this last year.We talked about this last year. Covered entities and business associates Covered entities and business associates

must notify patients and DHHS in the must notify patients and DHHS in the event of a breachevent of a breach

Ways to get off the reporting trainWays to get off the reporting train Interim final rule still in effect – published Interim final rule still in effect – published

August 24, 2009 (final rule drafted, August 24, 2009 (final rule drafted, released, withdrawn on July 28, 2010).released, withdrawn on July 28, 2010).

33

An Endpoint!An Endpoint!

PHI of patients deceased more than 50 PHI of patients deceased more than 50 years is no longer protected under HIPAA years is no longer protected under HIPAA (under proposed rules)(under proposed rules)

44

AHA Data Shows Poor Hospital AHA Data Shows Poor Hospital Compliance With HITECH Compliance With HITECH

2010 AHA survey of compliance officers2010 AHA survey of compliance officers 85% hospitals not HITECH-compliant85% hospitals not HITECH-compliant 41% of hospitals have 10 or more data 41% of hospitals have 10 or more data

breaches annuallybreaches annually

55

Family and FriendsFamily and Friends

Like Wisconsin, proposed HIPAA rules Like Wisconsin, proposed HIPAA rules clarify that certain disclosures to friends clarify that certain disclosures to friends and family are permissibleand family are permissible

Wisconsin – may release a "portion but Wisconsin – may release a "portion but not a copy" if any of the following:not a copy" if any of the following: patient agrees patient agrees emergency, emergency, family/ close friend notificationfamily/ close friend notification family/ close friend involved in carefamily/ close friend involved in care

66

RedisclosureRedisclosure

Original HIPAA stands: no protection for Original HIPAA stands: no protection for records redisclosed by recipient.records redisclosed by recipient.

Wisconsin - No redisclosure unless:Wisconsin - No redisclosure unless: Patient authorizesPatient authorizes Court ordersCourt orders Consistent with original purpose of disclosureConsistent with original purpose of disclosure

77

Minimum NecessaryMinimum NecessaryCurrent LawCurrent Law

Uses, disclosures, and requests should be Uses, disclosures, and requests should be limited to a limited data set, when practicablelimited to a limited data set, when practicable

If limited data set is not practicable, should be If limited data set is not practicable, should be limited to the minimum necessary to achieve the limited to the minimum necessary to achieve the purpose of use/disclosurepurpose of use/disclosure

The CE or BA disclosing gets to make the call The CE or BA disclosing gets to make the call on what is the minimum necessaryon what is the minimum necessary

88

Minimum NecessaryMinimum NecessaryProposed RuleProposed Rule

Proposed rule did NOT provide new Proposed rule did NOT provide new requirements to the minimum necessary requirements to the minimum necessary rule – so we are still stuck with the default rule – so we are still stuck with the default of a limited data set for nowof a limited data set for now

Solicited comments on what guidance Solicited comments on what guidance would be helpful to CEs and BAswould be helpful to CEs and BAs

99

Minimum NecessaryMinimum NecessaryWhat Do We Need To Do?What Do We Need To Do?

Revise BAAs and Privacy Rule policies Revise BAAs and Privacy Rule policies and procedures to limit use, disclosures, and procedures to limit use, disclosures, and requests to a limited data set (where and requests to a limited data set (where practicable) practicable) May need to revise again when new May need to revise again when new

provisions come out - some CEs have chosen provisions come out - some CEs have chosen to wait for further guidance to revise BAAsto wait for further guidance to revise BAAs

Make sure workforce members are aware Make sure workforce members are aware of changes to minimum necessary ruleof changes to minimum necessary rule

1010

MarketingMarketingCurrent LawCurrent Law

Three exceptions to the definition of Three exceptions to the definition of "marketing""marketing" Communications made to describe a Communications made to describe a

health-related product or service provided health-related product or service provided by the CEby the CE

Communications made for treatmentCommunications made for treatment Communications for case management or Communications for case management or

care coordination, or to direct or care coordination, or to direct or recommend alternative treatments, recommend alternative treatments, therapies, providers or settings of care therapies, providers or settings of care

1111


Communications that previously fell out of Communications that previously fell out of the definition of "marketing" may now the definition of "marketing" may now constitute marketing if the CE receives constitute marketing if the CE receives payment from a third party for making the payment from a third party for making the communication (and will require patient communication (and will require patient authorization)authorization)

1212


Limited exceptionsLimited exceptions A communication describing only a drug or A communication describing only a drug or

biologic the recipient is biologic the recipient is currently prescribedcurrently prescribed (payment must be reasonable)(payment must be reasonable)

A communication made by a BA on behalf of A communication made by a BA on behalf of the CE (and the communication does not the CE (and the communication does not violate the BAA)violate the BAA)

A communication pursuant to a valid patient A communication pursuant to a valid patient authorization, if the communication is made authorization, if the communication is made by the CEby the CE (obviously) (obviously)

1313

MarketingMarketingProposed RuleProposed Rule

Subsidized treatment communications do Subsidized treatment communications do notnot require authorization BUT they are require authorization BUT they are subject to notice and opt-outsubject to notice and opt-out Opt-out must be in the communication, must Opt-out must be in the communication, must

be relatively easy to opt outbe relatively easy to opt out NPPs must contain statement about NPPs must contain statement about

subsidized treatment communicationssubsidized treatment communications

1414

Marketing Marketing Proposed RulesProposed Rules

Only specified HCO communications Only specified HCO communications require authorization if CE receives require authorization if CE receives financial remuneration in exchange for financial remuneration in exchange for making the communicationmaking the communication Rule attempts to clarify differences between Rule attempts to clarify differences between

HCO and treatment communicationsHCO and treatment communications Defines "financial remuneration"Defines "financial remuneration"

1515

MarketingMarketingProposed RuleProposed Rule

Subsidized refill reminders and other Subsidized refill reminders and other communications about currently communications about currently prescribed drugs/biologics do not require prescribed drugs/biologics do not require authorization (payment must be authorization (payment must be reasonable)reasonable)

Face-to-face communications and Face-to-face communications and promotional gifts of nominal value still promotional gifts of nominal value still permittedpermitted

1616

MarketingMarketingWhat Do We Need To Do?What Do We Need To Do?

All arrangements where a CE receives All arrangements where a CE receives remuneration from a third party to make remuneration from a third party to make patient communications must be reviewed patient communications must be reviewed to see whether an authorization is requiredto see whether an authorization is required

Evaluate whether an exception appliesEvaluate whether an exception applies

If an exception does not apply, you will If an exception does not apply, you will need a patient authorizationneed a patient authorization

1717

FundraisingFundraisingCurrent LawCurrent Law

Must provide clear and conspicuous Must provide clear and conspicuous opportunity to opt-out of any further opportunity to opt-out of any further fundraising communicationsfundraising communications

Strict compliance with the opt-out, no more Strict compliance with the opt-out, no more reasonable efforts to complyreasonable efforts to comply

An individual's choice to opt out must be An individual's choice to opt out must be treated as a revocation of authorizationtreated as a revocation of authorization

1818

Fundraising Fundraising Proposed RuleProposed Rule

Minor clarificationsMinor clarifications Each fundraising communication to patient must Each fundraising communication to patient must

include clear and conspicuous opt-outinclude clear and conspicuous opt-out CE may not condition treatment or payment on an CE may not condition treatment or payment on an

individual's decisionindividual's decision If individual opts out, CE may not send further If individual opts out, CE may not send further

fundraising communicationsfundraising communications Statement in NPP still requiredStatement in NPP still required

Request for comment on PHI to be used in Request for comment on PHI to be used in fundraising communicationsfundraising communications

1919

FundraisingFundraisingWhat Do We Need To Do?What Do We Need To Do?

Implement system for tracking opt-out Implement system for tracking opt-out decisionsdecisions

Ensure all fundraising communications Ensure all fundraising communications have clear opt-out processhave clear opt-out process

Opt-out process may include phone or Opt-out process may include phone or email option but requiring individuals to email option but requiring individuals to write a letter may be an "undue burden"write a letter may be an "undue burden"

2020

Accounting From EHR For TPOAccounting From EHR For TPOCurrent Law (sort of)Current Law (sort of)

HITECH Act requirements are not yet effectiveHITECH Act requirements are not yet effective If you had EHR as of 1/1/09, effective date is 1/1/2014If you had EHR as of 1/1/09, effective date is 1/1/2014 If you adopted an EHR after 1/1/09, the effective date If you adopted an EHR after 1/1/09, the effective date

is the later of 1/1/11 or the date the EHR is acquiredis the later of 1/1/11 or the date the EHR is acquired As of the applicable effective date, if you have As of the applicable effective date, if you have

EHR, must account for disclosures EHR, must account for disclosures made made through EHRthrough EHR for treatment, payment, and health for treatment, payment, and health care operationscare operations

Must account for such disclosures for past three Must account for such disclosures for past three years (as opposed to six years for other years (as opposed to six years for other accounting requirements)accounting requirements)

2121


Covered entities have the option of either: Covered entities have the option of either: Including the EHR disclosures made by their Including the EHR disclosures made by their

BAs in the same accounting of disclosures BAs in the same accounting of disclosures report, or report, or

Providing a list of their BAs who would then Providing a list of their BAs who would then be required to provide an accounting to the be required to provide an accounting to the patient (must include the contact information) patient (must include the contact information)

2222


HITECH Act required creation of regulations HITECH Act required creation of regulations addressing what information should be collected addressing what information should be collected for accountings through EHR for accountings through EHR

Regulations should only require information that Regulations should only require information that takes into account:takes into account: The interests of the individuals in learning the The interests of the individuals in learning the

circumstances under which their PHI is being circumstances under which their PHI is being disclosed, and disclosed, and

The administrative burden for such accountingsThe administrative burden for such accountings

2323

Accounting From EHR For TPOAccounting From EHR For TPOProposed Rule (not yet)Proposed Rule (not yet)

Proposed rule was anticipated in June, Proposed rule was anticipated in June, 2010…didn't happen2010…didn't happen

Little guidance available on what Little guidance available on what information will be required for these types information will be required for these types of accountingsof accountings

2424

Accounting From EHRAccounting From EHRWhat Do We Need to Do?What Do We Need to Do?

Cross your fingers that the government Cross your fingers that the government proposes a reasonable rule…proposes a reasonable rule…

If you are going to purchase and implement an If you are going to purchase and implement an EHR, make sure it has accounting capabilitiesEHR, make sure it has accounting capabilities

If you already have an EHR, start to work with If you already have an EHR, start to work with your vendor on how to meet the accounting your vendor on how to meet the accounting requirements if it doesn't currently have this requirements if it doesn't currently have this functionalityfunctionality

2525

Security RuleSecurity RuleRisk Analysis GuidanceRisk Analysis Guidance

Guidance is based on NIST Guidance is based on NIST recommendationsrecommendations

Recognizes that the risk analysis methods Recognizes that the risk analysis methods will vary based on size, complexity, and will vary based on size, complexity, and capabilities of the organizationcapabilities of the organization

The result of the risk analysis determines The result of the risk analysis determines how the CE should approach the how the CE should approach the implementation specifications – implementation specifications – particularly addressable onesparticularly addressable ones

2626


Elements of a risk analysis:Elements of a risk analysis: Determine scope of risk analysisDetermine scope of risk analysis Identify where e-PHI is stored, received, maintained, Identify where e-PHI is stored, received, maintained,

transmittedtransmitted Identify threats and vulnerabilitiesIdentify threats and vulnerabilities Assess current security measuresAssess current security measures Determine the likelihood that a threat will occurDetermine the likelihood that a threat will occur Determine potential impact of potential threatsDetermine potential impact of potential threats Assign a risk level to identified threats/vulnerabilitiesAssign a risk level to identified threats/vulnerabilities Document assessmentDocument assessment

2727


Must document risk analysis process Must document risk analysis process Document assigned risk levels and a list of corrective Document assigned risk levels and a list of corrective

actions to be performed to mitigate each risk levelactions to be performed to mitigate each risk level Documentation helps justify decision for addressable Documentation helps justify decision for addressable

standardsstandards Must periodically review and update the risk Must periodically review and update the risk

assessment – ongoing processassessment – ongoing process Frequency will vary among CEsFrequency will vary among CEs Should be performed as technologies and business Should be performed as technologies and business

operations changeoperations change

2828

Risk Analysis GuidanceRisk Analysis GuidanceWhat Do We Need To Do?What Do We Need To Do?

Make sure you have documented your risk Make sure you have documented your risk analysisanalysis

Make sure your addressable implementation Make sure your addressable implementation specifications align with results of the risk specifications align with results of the risk analysisanalysis

Make sure you periodically review and update Make sure you periodically review and update your risk analysis (don't forget remote users and your risk analysis (don't forget remote users and portable devices!)portable devices!)

Update your security safeguards if necessary Update your security safeguards if necessary

2929

Security Safeguard TrendsSecurity Safeguard Trends

Encryption continues to become more and Encryption continues to become more and more important:more important: Encryption = exception to breach notificationEncryption = exception to breach notification

PHI is rendered unusable, unreadable, or PHI is rendered unusable, unreadable, or indecipherable if NIST encryption standards for indecipherable if NIST encryption standards for data at rest and in motion are followeddata at rest and in motion are followed

Not all encryption technology meet NIST standards Not all encryption technology meet NIST standards – check your technology – check your technology

Final Certification Rule = EHR certification Final Certification Rule = EHR certification requires encryption capabilitiesrequires encryption capabilities

3030

Security Safeguard TrendsSecurity Safeguard Trends

Destruction of PHIDestruction of PHI Exception to security breach notification if PHI Exception to security breach notification if PHI

has been destroyed as follows: has been destroyed as follows: Paper, film, and other hard copy media are Paper, film, and other hard copy media are

shredded or destroyed so PHI cannot be read or shredded or destroyed so PHI cannot be read or reconstructed (redaction is not sufficient)reconstructed (redaction is not sufficient)

Electronic media is cleared, purged, or destroyed Electronic media is cleared, purged, or destroyed consistent with NIST standards on media consistent with NIST standards on media sanitizationsanitization

3131

Security Safeguard TrendsSecurity Safeguard Trends HHS to issue annual guidance on the most HHS to issue annual guidance on the most

effective and appropriate technical safeguards – effective and appropriate technical safeguards – Risk Analysis was first in the series Risk Analysis was first in the series

For helpful Security Rule guidance, see:For helpful Security Rule guidance, see:http://www.hhs.gov/ocr/privacy/hipaa/http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/administrative/securityrule/securityruleguidance.html securityruleguidance.html Security Rule Educational SeriesSecurity Rule Educational Series Relevant NIST StandardsRelevant NIST Standards Risk Analysis GuidanceRisk Analysis Guidance Remote Use GuidanceRemote Use Guidance

3232

Business Associates Business Associates Current LawCurrent Law

Under HITECH, Business Associates are Under HITECH, Business Associates are DIRECTLY liable for compliance with DIRECTLY liable for compliance with Security Rule and uses and disclosures under Security Rule and uses and disclosures under Privacy RulePrivacy Rule

Requires affirmative compliance obligations – Requires affirmative compliance obligations – details clarified somewhat in proposed rules details clarified somewhat in proposed rules July 14 and will be further clarified in final July 14 and will be further clarified in final rules and other guidance.rules and other guidance.

3333

Business Associates Business Associates NPRMNPRM

Expansion of definition of BA to include:Expansion of definition of BA to include: Health Information OrganizationsHealth Information Organizations E-Prescribing GatewaysE-Prescribing Gateways Entities/individuals thatEntities/individuals that

Provide data transmissions services with respect Provide data transmissions services with respect to PHI ANDto PHI AND

Require access on a routine basis to that PHIRequire access on a routine basis to that PHI Definition will not include “conduits” only Definition will not include “conduits” only

accessing PHI on a random or infrequent accessing PHI on a random or infrequent basisbasis

3434


Definition of BA will include Definition of BA will include SUBCONTRACTORS!SUBCONTRACTORS!

Endless downstream flow of obligationsEndless downstream flow of obligations

3535


Reference patient safety activitiesReference patient safety activities Except certain entities from the BA Except certain entities from the BA

Agreement requirement, including:Agreement requirement, including: Some governmental agencies that perform Some governmental agencies that perform

enrollment and eligibility activities for another enrollment and eligibility activities for another governmental agency’s health plangovernmental agency’s health plan

3636


Clarified liability of BAsClarified liability of BAs Will be directly liable for Security Rule Will be directly liable for Security Rule

violationsviolations Will be directly liable for impermissible uses Will be directly liable for impermissible uses

and/or disclosures under Privacy Ruleand/or disclosures under Privacy Rule Failure to disclose to Secretary or provide e-Failure to disclose to Secretary or provide e-

accessaccess

3737


Changes to liability of CEsChanges to liability of CEs Will be liable for acts of BAs acting as CEs’ Will be liable for acts of BAs acting as CEs’

agents within scope of agencyagents within scope of agency

3838

Business AssociatesBusiness AssociatesTimingTiming

Continue to enter into and comply with BA Continue to enter into and comply with BA AgreementsAgreements Comply with requirements in the HITECH Act nowComply with requirements in the HITECH Act now

Proposed rules contemplate general compliance Proposed rules contemplate general compliance date of 180 days after effective date of final rulesdate of 180 days after effective date of final rules

Proposed rules contemplate a transition period Proposed rules contemplate a transition period for BAA revision ending on the earliest of:for BAA revision ending on the earliest of: When the BA relationship is changed in any way after When the BA relationship is changed in any way after

240 days from publication of final rule240 days from publication of final rule One year and 240 days after publication of final ruleOne year and 240 days after publication of final rule

3939

Business AssociatesBusiness AssociatesPractical GuidancePractical Guidance

Be prepared to act! Be prepared to act! BAs will be required to have BA Agreements BAs will be required to have BA Agreements

with Subcontractor BAswith Subcontractor BAs This is the BA's obligation, not the CE's This is the BA's obligation, not the CE's

obligation (although practically speaking, CEs obligation (although practically speaking, CEs should make sure it happens.)should make sure it happens.)

4040

Disclosing PHI to Health Plans Disclosing PHI to Health Plans Current LawCurrent Law

45 CFR 164.506. A covered entity may, without the individual’s authorization, use or disclose protected health information for its own treatment, payment, and health care operations activities. To avoid interfering with an individual’s access to To avoid interfering with an individual’s access to

quality health care or the efficient payment for such quality health care or the efficient payment for such health carehealth care

A health care provider may disclose protected health information about an individual as part of a claim for payment to a health plan.

4141


““Payment” is defined as the activities of health care providers to Payment” is defined as the activities of health care providers to obtain payment or be reimbursed for their services and of a health obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. Payment activities reimbursement for the provision of health care. Payment activities include: include:

Determining eligibility or coverage under a plan and adjudicating claims; Determining eligibility or coverage under a plan and adjudicating claims; Risk adjustments; Risk adjustments; Billing and collection activities; Billing and collection activities; Reviewing health care services for medical necessity, coverage, Reviewing health care services for medical necessity, coverage,

justification of charges, and the like; justification of charges, and the like; Utilization review activities; and Utilization review activities; and Disclosures to consumer reporting agencies (limited to specified Disclosures to consumer reporting agencies (limited to specified

identifying information about the individual, his or her payment history, identifying information about the individual, his or her payment history, and identifying information about the covered entity). and identifying information about the covered entity).

4242


A CE must limit disclosures of PHI for payment to the A CE must limit disclosures of PHI for payment to the Minimum NecessaryMinimum Necessary

A CE must develop role-based access policies and A CE must develop role-based access policies and procedures that limit which members of its workforce procedures that limit which members of its workforce may have access to PHI for payment based on those may have access to PHI for payment based on those who need access for their jobswho need access for their jobs

A CE may choose to obtain an individual’s consent for it A CE may choose to obtain an individual’s consent for it to use and disclose information for paymentto use and disclose information for payment

Individuals have the right to request restrictions on how a CE uses and discloses PHI about them for payment. A CE is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees.

4343

Disclosing PHI to Health PlansDisclosing PHI to Health PlansProposed RegulationsProposed Regulations

CE must agree to individual’s request to restrict disclosure of PHI to health plan if: PHI pertains solely to health care for which

individual (or person on behalf of individual other than health plan) has paid CE in full out of pocket

Disclosure is not required by other law

4444

Disclosing PHI to Health PlansDisclosing PHI to Health PlansProposed RegulationsProposed Regulations

CE cannot require individual to pay out of pocket for all services if that individual wishes to restrict disclosures regarding only certain services

If individual’s payment is not honored, and payment issue cannot otherwise be resolved with individual, covered entity may submit PHI to health plan for payment

NPRM requests public comment to resolve various operational issues

4545

EnforcementEnforcementCurrent LawCurrent Law

Sections 13409, 13410 and 13411 of the Sections 13409, 13410 and 13411 of the HITECH Act:HITECH Act: Criminal penalties for individuals such as employeesCriminal penalties for individuals such as employees Noncompliance due to “willful neglect”Noncompliance due to “willful neglect” Distribution of certain Civil Monetary Penalties Distribution of certain Civil Monetary Penalties Tiered increases in Civil Monetary PenaltiesTiered increases in Civil Monetary Penalties Enforcement by State Attorneys GeneralEnforcement by State Attorneys General AuditsAudits

4646

EnforcementEnforcementCurrent LawCurrent Law

Enforcement Interim Final Rule (IFR)Enforcement Interim Final Rule (IFR) Published Oct. 30, 2009; Effective November 30, 2009 Published Oct. 30, 2009; Effective November 30, 2009 Implemented Section 13410(d) of the HITECH Act by:Implemented Section 13410(d) of the HITECH Act by:

Setting four categories of violations reflecting increasing Setting four categories of violations reflecting increasing culpabilityculpability

Setting four corresponding tiers of penalty amounts, increasing Setting four corresponding tiers of penalty amounts, increasing minimum penalty amountsminimum penalty amounts

Establishing a maximum penalty amount of $1.5 million for all Establishing a maximum penalty amount of $1.5 million for all violations of an identical provisionviolations of an identical provision

Revised affirmative defenses Revised affirmative defenses Providing a prohibition on the imposition of penalties for any Providing a prohibition on the imposition of penalties for any

violation corrected within 30 days, if the violation was not due to violation corrected within 30 days, if the violation was not due to willful neglectwillful neglect

4747

Enforcement Under NPRMEnforcement Under NPRM

Incorporates "willful neglect" and gives Incorporates "willful neglect" and gives definitiondefinition

Mandates certain investigationsMandates certain investigations Increases ability of HHS to see PHI for Increases ability of HHS to see PHI for

enforcement investigationsenforcement investigations Gives definition to factors considered in Gives definition to factors considered in

investigationinvestigation

4848

Enforcement Under NPRMEnforcement Under NPRM

OCR will investigate if preliminary OCR will investigate if preliminary investigation indicates “willful neglect”investigation indicates “willful neglect”

OCR not required to seek informal OCR not required to seek informal resolution before proceeding to formal resolution before proceeding to formal enforcementenforcement

Revised definition of “reasonable cause”Revised definition of “reasonable cause” Guidance as to categories of culpability in Guidance as to categories of culpability in

preamblepreamble

4949

EnforcementEnforcementActions to Take NowActions to Take Now

Develop and implement HIPAA-compliant policies Develop and implement HIPAA-compliant policies and procedures and procedures

Properly secure PHI to access the Breach Notification Properly secure PHI to access the Breach Notification safe harborsafe harbor

Complete self-audits to confirm PHI is protectedComplete self-audits to confirm PHI is protected If a violation is discovered, act quickly to discontinue If a violation is discovered, act quickly to discontinue

and correctand correct Strengthen complaints process to resolve cases prior Strengthen complaints process to resolve cases prior

to federal claimto federal claim Observe HIPAA’s relevant remediation requirements Observe HIPAA’s relevant remediation requirements

5050

De-IdentificationDe-IdentificationCurrent LawCurrent Law

De-identification under 45 CFR §164.514 (b) Statistical approach:

a qualified statistical or scientific expert concludes, through the use of accepted analytic techniques, that

the risk the information could be used alone, or in combination with other reasonably available information, to identify the subject is very small.

5151

De-IdentificationDe-IdentificationCurrent LawCurrent Law

“Safe Harbor” approach permits a covered entity to consider data to be de-identified if It removes 18 types of identifiers (e.g., names,

dates, and geocodes on populations with less than 20,000 inhabitants)

It has no actual knowledge that the remaining information could be used to identify an individual, either alone or in combination with other information.

5252

De-IdentificationDe-IdentificationCurrent Law – Safe HarborCurrent Law – Safe Harbor

Names All dates except year and ages

>89 Fax SSN Health plan # Certificate/license # Device IDs and Serial #s IP address Full face photo Geographic subdivisions smaller Geographic subdivisions smaller

than state except for initial 3 of zip than state except for initial 3 of zip if it contains > 20,000if it contains > 20,000

Telephone #sTelephone #s Email addressesEmail addresses Medical Record #Medical Record # Account #Account # VINs and Vehicle Serial #sVINs and Vehicle Serial #s URLsURLs Biometric identifiers, i.e. finger or voice Biometric identifiers, i.e. finger or voice

printsprints Any other unique ID #s, characteristics Any other unique ID #s, characteristics

or codesor codes

Must remove the following identifiers of the individual, relatives, employers, and household members:

5353

De-IdentificationDe-Identification2010 Workshop2010 Workshop

OCR hosted a Workshop on the Privacy OCR hosted a Workshop on the Privacy Rule’s De-Identification Standard in March Rule’s De-Identification Standard in March 20102010 OCR will use information gained through

workshop to develop the guidance required & supported by ARRA.

OCR accepted comments after posting OCR promised guidance on its web site All materials developed for workshop are

posted on OCR web site.

5454

De-IdentificationDe-IdentificationPractical GuidancePractical Guidance

Even if fit within a safe harbor, are there other sources of liability for sharing de-identified data?

If a CE or BA shares de-identified data, an agreement between the parties should prohibit the recipient from attempting to re-identify individuals.

Require security measures even for de-identified information

Require use of limited access datasets Require education of training of staff de-identifying data

5555

Questions?Questions?

Sarah CoyneSarah Coyne

(608) 283-2435 (608) 283-2435

[email protected] [email protected]

Quarles & Brady LLP Quarles & Brady LLP

Tom ShorterTom Shorter

(608) 284-2239 (608) 284-2239

[email protected] [email protected]

Godfrey & Kahn, S.C.Godfrey & Kahn, S.C.

1 HIPAA Regulations Update HIPAA Regulations Update What Covered Entities And Business Associates...

Documents

Transcript of 1 HIPAA Regulations Update HIPAA Regulations Update What Covered Entities And Business Associates...