HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS€¦ · WHY HAVE A “SECURITY” RULE? •...

HIPAA OMNIBUS RULE:EXPANDED COMPLIANCE REQUIREMENTS

James J. Eischen, Jr., Esq.

November 2013San Diego, California

(c) 2013 James J. Eischen, Jr., Esq.

Partner at Higgs, Fletcher & Mack, LLP

26+ years of experience as an attorney in California with planning and compliance with emphasis on private medicine, healthcare/data management start-up enterprises, and healthcare business planning.

Graduated from the University of California at Davis School of Law in 1987.

Professional Memberships: San Diego County Bar Association Law & Medicine Section, Attorney-Client Relations Committee, American Academy of Private Physicians corporate secretary and chair of the legal compliance and advocacy committee.

JAMES J. EISCHEN, JR., ESQ.


SO, WHAT IS HIPAA?• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.


WHY SHOULD I CARE?

• You might now be HIPAA regulated just like a physician’s office regarding HIPAA

– What the !@#$%^&*?????????

– This is doable if you understand HIPAA


FIRST, KEY TERMS

• “PHI” = Protected health information

• “Unsecured” = PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons

– Encryption and destruction

• Breach

– Acquisition, access, use or disclosure of PHI

– PHI security or privacy is compromised


WHAT ARE BASIC HIPAA RULES?

• The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) establishes national standards for the protection of certain health information.

• The Security Rule (Security Standards for the Protection of Electronic Protected Health Information) establishes national security standards for efforts to protect certain health information held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (ePHI).

• The Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.


WHY HAVE A “SECURITY” RULE?

• Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information. – 50 states = 50 sets of privacy laws

• New technologies evolving.

• Security Rule protects privacy while allowing covered entities to adopt new technologies.

• Security Rule designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies appropriate for the entity’s particular size, organizational structure, and risks to consumer ePHI.


HOW TO COMPLY WITH THE SECURITY RULE

• Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.

• Specifically, covered entities must:– Ensure the confidentiality, integrity, and availability of all ePHI they create,

receive, maintain or transmit;

– Identify and protect against reasonably anticipated threats to the security or integrity of the information;

– Protect against reasonably anticipated, impermissible uses or disclosures; and

– Ensure compliance by their workforce.

• Documented in a “Risk Assessment Memo.”


• The Security Rule defines “confidentiality” to mean that ePHI is not available or disclosed to unauthorized persons: “integrity” to mean that ePHI is not altered or destroyed in an unauthorized manner; “availability” to mean that ePHI is accessible and usable on demand by an authorized person.

• Covered entities range in size. The Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments.

SECURITY RULE: CONFIDENTIALITY AND FLEXIBILITY


SO, WHAT SECURITY MEASURES SHOULD BE IMPLEMENTED?

• Security Rule does not dictate specific measures, but requires the covered entity to consider:– Size, complexity, and capabilities,

– Technical, hardware, and software infrastructure,

– Costs of security measures, and

– Likelihood and possible impact of potential risks to ePHI.

Covered entities must review and modify their security measures to continue protecting ePHI in a changing environment.


WHAT IS THE OMNIBUS/FINAL RULE (OR, WHY DO I NEED TO KNOW ABOUT HIPAA?)

Covered entities need to review documentation including business associate agreements, notice of privacy practices, and their policies and procedures to ensure compliance with the Final Rule.

• BAA that complies with pre-Omnibus rule

– Update BAA by September 23, 2014

• BAA that does not comply with pre-Omnibus rule

– Have an Omnibus-compliant BAA in place by September 23, 2013


BEFORE AND AFTER OMNIBUS RULE

• Before

– Business Associates (“BA”) contractually regulated through a Business Associate Agreement (BAA)

• After

– BAs and subcontractors are now Covered Entities (“CE”) and regulated directly under HIPAA

BAs = CEs, must comply with HIPAA and regulated


EXPANDED DEFINITION OF CE

• CE: On behalf of a covered entity (CE), creates, receives, maintains or transmits PHI

• Subcontractor of a BA

Role + responsibilities of BA = CE

BA requirements/exposure not defined simply because it is a party to a BAA


FINAL RULE EXPANDED DEFINITION OF “BUSINESS ASSOCIATES” & “COVERED

ENTITIES”

• Patient Safety Organizations

• Health information exchange organizations

• E-prescribing gateways

• CE personal health record vendors

• Data transmission providers that require access to PHI on a routine basis

• AND: Any person or entity with ePHI!!!


NOT A BA/CE?

• Those who simply provide transmission services

– Digital couriers or “mere conduits”

But if you have personalized ePHI, even if you don’t view it, you are a BA/CE!!!


SUBCONTRACTORS?

• Contract between the CE’s BA and the BA’s subcontractor must satisfy the BA requirements

• Subcontractor of a subcontractor of a subcontractor of a subcontractor ALL BAs

HIPAA/HITECH obligations apply to subcontractors


WHEN DO BAs/CEs HAVE TO COMPLY?

• If using BAA that complies with pre-Omnibus rule

– Update BAA by September 23, 2014

• If using BAA that does not comply with pre-Omnibus rule

– Have an Omnibus-compliant BAA in place by September 23, 2013


WHAT SHOULD YOU DO IF A BA/CE?

• Confirm whether you are a CE/BA

• Review all existing BAAs

• Evaluate relationships/agreements that require BAAs

• Create HIPAA compliance documents

– Notice of Privacy Practices (NPP)

– Business Associate Agreement (BAA)

– Risk Assessment/Security Rule


BREACHES AND SECURITY


PRESUMPTION OF BREACH

• Interim Final Rule

– Risk assessment to determine if unauthorized PHI access, use or disclosure caused harm

– No presumption of a breach

• Final Rule

– Unauthorized access, use or disclosure presumedto be a breach unless CE determines low probability PHI was compromised


POTENTIAL BREACH EVALUATION

• CE must evaluate

– Nature and extent of PHI

– Unauthorized person who used PHI

– Whom disclosure was made

– PHI actually viewed or acquired

– How risk was mitigated

DOCUMENT, DOCUMENT, DOCUMENT

AND THEN DOCUMENT SOME MORE


BREACH NOTIFICATION

• BA/CE must provide notice of breach

– To CE (if applicable)

– Breach treated as discovered as of 1st day when known or would have been known

• When by exercising reasonable diligence would have breach been known?

• Subcontractor BA gives notice to BA


ACCESS AND RESTRICTIONS


ACCESS TO THIRD PARTIES

• Individual can request CE to send PHI to another individual/entity

– In writing

• Electronic OK but verification needed

– Identify who/what is the PHI receiver

• PHI must still be protected when sent to third parties

• Third parties receiving PHI – BA & CE!


CALIFORNIA: NEW DATA PRIVACY LAWS BEYOND HIPAA

DO NOT ASSUME ALL PRIVACY LAWS ARE FEDERAL!


http://www.paulhastings.com/Resources/Upload/Publications/Stay-Current-California-Privacy-Law.pdf

• A “Do Not Track” Law, which requires commercial websites and online service providers to disclose how they respond to “do not track” signals from Internet browsers;

• An “Eraser” law, which provides web users under the age of 18 with the right to delete or remove content they have posted online and which contains advertising prohibitions restricting the marketing and advertising of products not legally available to minors (such as alcohol and firearms) on sites “directed to minors”;

• Expanded data breach notification requirements, which add user names and email addresses to the definition of “personal information”;

• A “revenge porn” law which makes the photographer’s publishing of pornographic material without the subject’s consent and “with the intent to cause serious emotional distress” a misdemeanor;

• An expanded Confidentiality of Medical Information Act (“CMIA”), which now covers “any business that offers software or hardware” to California consumers, including mobile applications or other related devices; and

• A Privacy of Consumer Electrical or Natural Gas Usage Data law which prohibits businesses from sharing with a third party a customer’s electrical or natural gas usage data without first obtaining the customer’s express consent.


THANK YOU

James J. Eischen, Jr., Esq.

Office: (619) 819-9655

Email: [email protected]

Skype: jeischenjr

http://www.assessmentandplan.com

http://www.higgslaw.com


HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS€¦ · WHY HAVE A “SECURITY” RULE? •...

Documents

Transcript of HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS€¦ · WHY HAVE A “SECURITY” RULE? •...