HIPAA/ HITECH: Relief for the HIPAA/ HITECH: Relief for the Newest Regulatory HeadacheNewest Regulatory Headache

Kippy L. WrotenFounding Shareholder, Wroten & Associates

Darryl A. RossShareholder, Wroten & Associates

Scope of the Omnibus RuleScope of the Omnibus Rule• Research uses of data – compound, more general authorizations.• Patients’ right to restrict data sharing with payors.• Requirements to modify and redistribute notices of privacy

practices.• Inclusion of limitations on use of genetic information for

underwriting.• Clarifies HHS Secretary’s role in enforcement, imposition of civil

money penalties (CMPs) and CMP liability for acts of agents.

What’s What’s NotNot in the Omnibus Rule in the Omnibus Rule• Accounting of Disclosures – still in process.• Methodology for giving individuals “harmed” by HIPAA

violations a percentage of any civil monetary penalties or settlements collected.

• Guidance for implementation of minimum necessary standard.

• HITECH also mandated study of definition of “psychotherapy notes” – no specific deadline for the study.

HIPAA - Privacy vs. SecurityHIPAA - Privacy vs. Security

• HIPAA Privacy Rule– The need to protect medical records and other health

information in any form (electronic, paper, or out of our mouths) from being shared, viewed, distributed, etc.

• HIPAA Security Rule– The need to develop and maintain security of all electronic

health information, including storage and transmission.

Privacy RulePrivacy Rule

Privacy Privacy RuleRule

Notice of Privacy Practices

Right toRequest Privacy

PHI ProtectionRight to Individual

Access to PHIAdministrative Requirements

Uses & DisclosuresOf PHI

AccountingFor

Disclosures

Security RuleSecurity RuleSECURITY RULESECURITY RULE

AdministrativeSafeguards

PhysicalSafeguards

TechnicalSafeguards

Privacy Officer

P & Ps

Access Authorization

Business Associates

Disaster Recovery/Contingency Plans

Routine Audits

Access Control

Software Control

PHI Destruction

Work Station Privacy

Training

IT Hacking/Intruders

Encryption

Password Protection

Written Record ofNetwork Configuration

Risk AnalysisDocumentation

Risk ManagementDocumentation

Health Information Technology for Economic and Health Information Technology for Economic and Clinical Health Act (2009) Expands ProtectionClinical Health Act (2009) Expands Protection

Omnibus Rules

Direct Liability forBusiness

Associates

Expanded Individual Rights

Right to PrecludeDisclosure

Genetic InformationPreclusion

Breach Notification Rules Expanded

Notice of PrivacyDisclosures

Redistribution

Civil MonetaryPenaltiesIncreased

How Do HIPAA & HITECH Apply to Me?How Do HIPAA & HITECH Apply to Me?

• Covered Entities

• Hybrid Entities

• Business Associates (Vendors)

Protected Health InformationProtected Health Information

• What is it? – Identifies the individual– Transmitted or maintained by a CE or BA– Relates to individual's physical or mental health or

payment for health care– Demographic information

PHIPHICommon•Names•SSN•Medical record #s•Account numbers•Dates of treatment

Did You Know?•Vehicle ID & Serial Numbers - license plate numbers•Device ID & serial numbers•Universal Resource Locators (URLs)•Internet Protocol (IP) addresses•Biometric identifiers, including finger and voice prints•Full face photographic images and any comparable images•Any other unique identifying number, characteristic, or code

Probably Aware•Telephone numbers•Fax numbers•Electronic mail addresses•Certificate/license numbers

Covered EntitiesCovered EntitiesHealth Plans

An individual or group plan that provides or pays the cost of medical care Health care clearinghouses

A public or private entity, including a billing service, re-pricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information

Health care providersCare, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

+ …who electronically transmit any health information

Hybrid EntitiesHybrid Entities• A single legal entity that is a covered entity, performs

business activities that include both covered and non-covered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, non-health care components of a hybrid entity may be affected because the health care component is limited in how it can share PHI with the non-health care component. The covered entity also retains certain oversight, compliance, and enforcement responsibilities.

Who is a Business Associate?Who is a Business Associate?

• Claims Processing• Data Analysis• Utilization Review• Billing • Legal (including litigation counsel)• Actuarial • Accounting• Consulting• Data Aggregation• Management

• Administrative• Accreditation• Financial Services• E-Discovery Vendors• Copier Technicians (if your

copier has memory)• Shredding Services• Computer Support Services • Records subpoenas/duplication

services

Business AssociatesBusiness AssociatesHITECH Expands Privacy and SecurityHITECH Expands Privacy and Security

• Expanded definition of "business associate“- “Business associate” means one who, on behalf of a Covered Entity

• creates, receives, maintains or transmits PHI

• "Business associate" now also means "subcontractor subcontractor of business associate“ who creates, receives, maintains or transmits PHI on behalf of a business associate– Status as Business Associate based upon role and responsibilities, not upon

who are the parties to the contract

Business Associate DefinitionBusiness Associate DefinitionClarificationsClarifications

• Rule clarifies definition of "business associate” -- included:– Patient Safety Organizations– Health information exchange organizations, e-prescribing gateways,

covered entities' personal health record vendors (not all PHRs)– Data transmission providers that require access to PHI on a routine

basis• Not included – those who just provide transmission services,

like digital couriers or “mere conduits.”• However, those who store PHI, even if they don’t intend to

actually view it, are BAs (implications for cloud model EHRs).

Business AssociatesBusiness Associates

Management

AdministrativeSupport

AccreditationSurvey

Consults

Financial Services

Actuarial Accounting

Legal

Billing

Utilization Review

Data Aggregation &

Analysis

Claims Processing

Direct Direct LiabilityLiability

Do They Know Who They Are?Do They Know Who They Are?

• Implications for subcontractor relationships• Contract between the covered entity's BA and that

BA's– Subcontractor must satisfy the BAA requirements– Subcontractor of subcontractor is also a BA, and so on

• As a result, HIPAA/HITECH obligations that apply to BAs also directly apply to subcontractors

BAs – Uses of PHIBAs – Uses of PHI• Uses of PHI

– BAs may use or disclose PHI only as permitted by BAA or required by law– BAs may not use or disclose PHI in manner that would violate Privacy Rule– Subcontractors subject to limits in initial CE-BA agreement

– Must pass along in subcontracts– BAs not making a permitted use or disclosure if not

• Follow minimum necessaryminimum necessary rules• BA does not comply if it knows of subcontractor's material noncompliance and does not take

reasonable steps to cure the breach or, if such steps fail, to terminate the relationship• BAs (incl. subcontractors) subject to civil money penalties for HIPAA violations• BA/subs remain liable under contract to CE/BA• Secretary authorized to receive and investigate complaints against BAs (including subcontractors), and

to take action regarding complaints and noncompliance• BAs (incl. subs) required to maintain records and submit compliance reports to Secretary, cooperate

in complaint investigations and compliance reviews, give Secretary access to information• BAA - Generally, compliance required 180 days following Omnibus Rule’s effective date (3/26/13),

which is 9/23/13

Omnibus RulesOmnibus RulesComplianceCompliance

Omnibus Rules Compliance Date: September 23, 2013September 23, 2013

Compliance Plan - Compliance Plan - Step OneStep One• Have you established an executive/board-level responsibility for HIPAA compliance?

• Have you designated yourself as a (a hybrid entity, or (b) a single affiliated covered entity with other legally separate covered entities under common ownership or control?

• Have you taken the necessary follow-up steps to document?

• Have you designated responsible persons for Privacy? For Security? Do you have job descriptions?

• Have you distributed a Notice of Privacy Practices with the identification of the Privacy and Security Officers?

• Have you posted information and trained staff?

• Has the staff signed confidentiality agreements related to privacy and security?

• Do you have Business Associate Agreements in place?

Compliance Plan - Compliance Plan - Step TwoStep Two• Is HIPAA privacy and security included in new employee

orientation?

• Is your Governing Body/Board trained?

• Are volunteers and clergy trained?

• How do you facilitate privacy and security awareness?

Risk AssessmentRisk Assessment

• Administrative Safeguards

• Physical Safeguards

• Technical Safeguards

Risk Assessment - PHI Flow ChartRisk Assessment - PHI Flow Chart

Fax Transmittal

Admissions Director of Nurses Business Office

Computer FileWritten ChartWritten Admissions

Documents

Electronic Billing

Security Risk Assessment- Organizational Security Risk Assessment- Organizational RequirementsRequirements

• Business Associates Identified

• Policies & Procedures adopted

• Documentation procedures adopted

Security Risk AssessmentSecurity Risk Assessment• Security Awareness and Training• Security Incident Procedures• Workstation Use• Device and Media Controls• Access Control• Integrity• Person/Entity Authentication• Transmission Security

Access Controls

• Limit physical access to its electronic information systems, including facilities where data housed. §164.310(a)(1).

• Workstation Security - physical safeguards for all workstations that access ePHI. §164.310(c).

• Must assure authorized users have access.

Workstation Security Compliance Practices• Identify desktop/laptops containing ePHI

• Lock down procedures.

• Policies to prevent unencrypted ePHI from being stored on portable electronic devices and laptops.

• Encryption practices.

• Movement within facility.• Removal of hardware from

facility.• P&Ps to address final

disposition of ePHI and/or medium where stored

• P&Ps governing removal of ePHI before device re-used.

• P&Ps to assure ePHI is unusable and/or inaccessible prior to re-using device.

• All storage devices or all ePHI records must be overwritten multiple times, in accordance with NIST guidelines.

Device Controls and Re-Use

§164.310(d)(1) - Controls §164.310(d)(2)(ii) - Re-Use

Disposal Compliance Practices

• ePHI on must be rendered unusable and/or inaccessible prior to disposal.

• When portable media is discarded, it should either be overwritten multiple times, in accordance with NIST guidelines.

• Maintain a record of where the hardware is, and the person responsible for it. §164.310(d)(2)(iii).

Accountability Practices for Compliance• Identify types of hardware and electronic media that

must be tracked.• Create record / log to track where devices are.• Portable devices should not ordinarily contain ePHI

and must be individually identified in the tracking system in order to contain ePHI.

• Possession of portable device with ePHI must be consistent with the individual’s position.

• Inventory should be physically confirmed at least annually.

Data Backup and Storage

• Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. §164.310(d)(2)(iv)

• Establish a process for documenting or verifying its creation.

4 Components of Compliant Technical P&P’s

§164.312(a)(2)(ii) Emergency access procedures.

§164.312(a)(2)(iii) Automatic logoff procedures

§164.312(a)(2)(iv) Encryption and decryption procedures

§164.312(a)(2)(i) Unique name / identifier to track users.

Step 1: User ID

• Unique account for each user including unique username and password if access to ePHI.

• Verification procedures • P&Ps to map permissions• Generic or shared accounts are not permitted for

access to ePHI.

Step 2: Emergency Controls

• Protocol should be written• Do not rely on availability of a single individual. • Identify roles that may require special access during an

emergency.• Proper ID of individuals required Access to power or a

network?• If electronic systems are a copy of the medical record

and access to the system is not necessary for safe patient care, use of medical records while the systems is unavailable is acceptable

Step 3: Auto Logoff Compliance Practices• Best practice: require electronic to be terminated.• If terminating session isn’t possible, implement

automatic workstation lockout as a compensating control.

• What’s an appropriate amount of inactivity before automatic lockout?

10 MINUTES

Step 4: Encryption Technical Standards• HITECH references NIST encryption standards• Enforce complex passwords where possible• Protection from malicious software for details)• Ensure secure remote access• Implement correctly configured firewalls (hardware

and/or software)

Step 4: Encryption – Decryption: P&Ps• Unique user ID’s • Frequent changes to ID’s• Prohibit unencrypted ePHI will not be stored on

portable electronic devices, including laptops.• Remote wipe procedures

– Incorrect Password– IT Personnel

Common Sense & Security Common Sense & Security • Log off your system if you are not in front of it.• Remove patient/resident/employee data from view.• Make sure others cannot see your computer screen. • Don’t place patient/resident/employee data on a flash drive,

CD, diskette, or even your C: drive if you have PC.• Don’t give anyone your password• Any device /laptop used to store/transmit PHI must be

encrypted – don’t store/transmit PHI on personal devices.• “Secure” all PHI when sent outside of secure environment• Emails• Texts

Mobile Devices & SecurityMobile Devices & Security• Enterprise issued mobile devices

– Password protected– Encrypted– Remote monitoring– Remote wiping (destruction)

• BYOD– Are they secure?

• Dealing with physicians who insist on texting– Difference between sending and receiving

• Education & Training - materialshealthit.gov/providers-professionals/downloadable-materials

Risks Mobile Devices• Mobile devices produced for consumer use.• Can store massive amounts of data.• Lack security and operational controls to enable

management of the device from a centralized system.

• Easily lost or stolen and pose increased risks to the confidentiality and security of patient health information.

• Loss or theft may result in breach notification.

WHERE IS YOUR DATA?

WHAT IS THIS?

SAY HELLO TO YOUR DATA

OR

THIS

AND

THIS

ePHI & Text Messaging – P&Ps• Appropriate use of work-related texting. • Prohibiting texting of ePHI• Requiring medical records be updated if ePHI

received via text. • Identifying retention period for any ePHI received via

text. • An inventory of all mobile devices used for texting

ePHI (whether provider-owned or personal devices).

Device Ownership. BYOD Considerations• Written authorization before storing ePHI. • A clear definition of data ownership. • Define what is acceptable use.• Annual acknowledgment of organization

P&Ps• Reservation of rights to examine devices• Procedures during employee or contractor

separation

BYOD Policies To Consider• Appropriate use of texting• Appropriate use of camera and video• Appropriate use of sensitive information• Requirements for password protection and lock-out features.• Prohibition on altering factory defaults and operating systems

(i.e., jail-breaking)• Appropriate use of applications and conditions of

downloading software.

Technology Solutions for Mobile Devices

• Password protection and encryption for mobile devices that create, receive or maintain text messages with ePHI.

• Enterprise control to oversee communication use• Enterprise control to wipe information from lost

devices and/or separated employees• Use of a secure messaging application. • Audit trail system.

Security Security Assessment Assessment ExemplarsExemplars

Event Management: Event Management: BreachBreach

• Ready or not, expect there will be a breach

Risk Assessment: BreachRisk Assessment: Breach• CE/BA should perform risk assessment post-breach

discovery and must consider at least the following:– Nature and extent of PHI involved, including types of

• Identifiers and likelihood of re-identification– Who was the recipient of the PHI– Was the PHI actually acquired or viewed– The extent to which the risk to misuse of the PHI has been

• Mitigated

Risk Analysis CriteriaRisk Analysis Criteria• Likelihood of identification or re-identification:

– a list of patient names – not low probability– patient discharge data, patient not specified – can patients be re-identified? – could

be low probability (depends on the circumstances)• Who is the unauthorized recipient:

– a HIPAA covered entity – low probability, as long as you have evidence the risk has been mitigated

– an employer – may be able to use personnel records to re-identify – not low probability

• PHI actually acquired or viewed:– untampered with laptop – low probability– information mailed to wrong person – not low probability

• Has improper use been mitigated:– satisfactory assurances of destruction from a known person – low probability

Risk of Harm AnalysisRisk of Harm AnalysisDid the breach pose a significant risk of financial, reputational, or other harm to the individual?

To whom was the PHI disclosed? RISK EVALUATION• Another employee/BA? Low risk• Wrong fax number/unauthorized family member? Moderate risk• PHI lost or stolen? High riskIn what form was the PHI accessed, used, or disclosed?• Verbal? Low risk• Paper? Moderate risk• Electronic? High riskWhat event caused the access, use, or disclosure of PHI?• Unintentional disclosure? Low risk• Intentional disclosure? Moderate risk• Hacking/theft? High riskWhat type of PHI was impermissibly accessed, used, or disclosed?• Limited data set? Low risk• Non-sensitive PHI? Moderate risk• Treatment provided? Potentially higher risk• Substance abuse, mental health, contagious disease? High risk• SSN’s, Tax ID, Account #s, Passwords / Digital Signatures Very high riskWhat steps were taken to mitigate potential harm related to the impermissible access, use, or disclosure?

PHI returned before accessed? Low risk• PHI properly destroyed? Low risk• Recipient signed a confidentiality agreement? Low risk• Immediate steps taken to reduce risk of harm? Low – moderate risk

Definition of “Definition of “BreachBreach””

• Definition changed from the interim rule definition– An impermissible use or disclosure of PHI is

presumedpresumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised”

Has A Breach Occurred?Has A Breach Occurred?• Is the information unsecured PHI?

– Was the PHI de-identified? – Was the PHI acquired, accessed, used, or disclosed in accordance

with the Privacy Rule? – Was the PHI encrypted? – Was the PHI properly destroyed?

• If any of the above answers is "yes", then the information is not unsecured PHI therefore no breach has occurred and notification is not required.

Privacy & Security Privacy & Security ExceptionsExceptions• Did a CE/BA workforce member unintentionally access or use the PHI while

acting within the scope of their duties?• Was the impermissible use and/or disclosure stopped before further

disclosure occurred?• Did a CE/BA workforce member inadvertently disclose PHI to another

workforce member where all were otherwise authorized to access/use PHI?• Was the use/disclosure of PHI incident to an otherwise permissible use or

disclosure where the minimum necessary requirement was followed?• Was the PHI impermissibly disclosed to an unauthorized person but there is

a good faith belief exists that the recipient would not be able to retain the PHI?

If any of the above answers is "yes", then no breach has occurred and notification is not required.

Breach Decision TreeBreach Decision TreeIs the information PHI?

Yes

Is the PHI unsecured?

Yes

Is there an impermissible acquisition, access, use or disclosure of PHI?

Yes

Does the impermissible acquisition, access, use or disclosure compromise the security or privacy of PHI? Has a written risk assessment been completed? Yes

Does an exemption apply?

No

Notification Required; Determine methods for notification for affected individuals, the Secretary of HHS and, if necessary, media

NoNo Notification under HITECH: Determine if state breach notification laws apply

No No Notification under HITECH: Determine if accounting and mitigation obligations under HIPAA

No No Notification under HITECH

NoNo Notification under HITECH: Determine if accounting and mitigation obligations under HIPAA

Breach NotificationBreach Notification

• Notification of Breach– Data breach notification requirements imposed for

unauthorized uses and disclosures of "unsecured PHI." – Patients must be notified of any unsecured breach. – If a breach impacts 500 patients or more, HHS must also be

notified, and breaching entity's name will be published on HHS' website.

– Under certain conditions local media will also need to be notified.

– Notification is triggered whether the unsecured breach occurred externally or internally.

Notice of Privacy PracticesNotice of Privacy Practices

• Redistribution required!

Notice of Privacy Practices (NPP)Notice of Privacy Practices (NPP)

• NPPs must include:– Statements regarding certain uses and disclosures requiring

authorization• Psychotherapy notes (where appropriate); • Marketing; • Sales of PHI; • Right to restrict disclosures to health plans (provider only); and • Right to be notified of breach.

– General statement that all uses and disclosures not described in NPP also require authorization

Notice of Privacy PracticesNotice of Privacy Practices• Does it contain all the required elements?

– “This notice describes how medical information about you may be used and disclosed and how you can get access to this information please review it”.

• Include examples of types of use and disclosures.• List of uses and disclosures allowed without authorization.• List of individual’s rights.• Privacy Officer contact information.• Do you use PHI for marketing?• Do you use PHI for research?

Covered Entity - Privacy ObligationsCovered Entity - Privacy Obligations• Is NPP posted?

• Has NPP been translated?

• What is your process for delivery?

• What is your process to re-distribute when there are changes

• Is your NPP posted on websites?

Omnibus Rule – NPPs must be RevisedOmnibus Rule – NPPs must be Revised• Changes in rule are material• For plans that post on website, post revised NPP by effective

date and in next annual mailing• If no web site, plans must provide within 60 days of material

revision• For providers, must post and make available upon request;

must provide to (and seek acknowledgement from) new patients

• Can send by e-mail if individual agrees

Important Important Next StepsNext Steps

• Review policies, procedures, forms, and update• Train staff on new provisions• Inventory BAs and update BAAs• Update breach response plan; in particular, update risk

assessment and address encryption

Components Of An Effective Security Plan

• Policies & Procedures governing hardware and software.

• Testing• Auditing• Contingency Plans

Compliance DateCompliance Date

September 23, 2013September 23, 2013