Polsinelli Shughart PC In California, Polsinelli Shughart LLP Final HIPAA Omnibus Rule Highlights...

Polsinelli Shughart PC In California, Polsinelli Shughart LLP

Final HIPAA Omnibus Rule Highlights

Presented to the Colorado Bar Association, Health Law SectionFebruary 20, 2013

Emily Wey, Shareholder

Polsinelli Shughart PC

2© 2013 Polsinelli Shughart PC

Polsinelli Shughart provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.

Polsinelli Shughart is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

© 2013 Polsinelli Shughart PC. In California, Polsinelli Shughart LLP. Polsinelli Shughart is a registered mark of Polsinelli Shughart PC


Important Final Omnibus Rule Dates

• Publication Date: January 25, 2013– www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

• Effective Date: March 26, 2013• Compliance Date: September 23, 2013• Business Associate Agreement Compliance

Date: September 22, 2014– For “grandfathered” BAAs


FINAL OMNIBUS RULE TOP 6

Many more entities are Business Associates

Business Associates are now directly subject to HIPAA in many regards

Breach notification standard is greatly changed

Marketing rules are updatedIndividual rights are expanded, particularly

with respect to ePHI and genetic information

Monetary penalties are tiered


POLICY RATIONALES

• 1996 Act and its regulations have been vastly outpaced by technology (ePHI transmission, genetic information)

• One level of accountability (only Covered Entities) is not enough enforcement authority– legal/regulatory liability and contractual liability

have all shifted downstream one level (i.e., Business Associates are now like Covered Entities, subcontractors are like Business Associates)


BUSINESS ASSOCIATE CHANGES, Part 1

• Category of entities that will be considered Business Associates has been expanded to include:– Entities that transmit and need routine access

to PHI (such as HIOs and E-Prescribing Gateways)

– PHR/EHR vendors who serve Covered Entities– Subcontractors who create, receive, maintain,

or transmit PHI for a Business Associate



• Category of entities that are not included in new Business Associate definition are:– Health care provider who receives PHI from another

provider for treatment– Plan sponsors, with respect to disclosures by Group

Health Plans– Government agencies (determining eligibility)– OHCA participants– “Conduits” – transmission services w/ temporary

storage of PHI• Maintaining PHI (even without viewing) = BA



• Business Associates are now directly liable, and subject to OCR enforcement, for:– Impermissible uses and disclosures of PHI and

ePHI– Failure to comply with the Security Rule

• Business Associates must have in place the same security measures as are required of Covered Entities

– Failure to provide notification of breach to a Covered Entity



• Business Associates are now directly liable, and subject to OCR enforcement, for:

– Failure to provide access to PHI/ePHI to an individual– Failure to provide an accounting of disclosures (similar

to current requirement)– Failure to enter into BAAs with downstream

subcontractors– Failure to cooperate with HHS in any compliance

investigation

• Consider appointing Privacy Officer or person responsible for HIPAA compliance


ACTION ITEMS FOR POTENTIAL BUSINESS ASSOCIATES

• Decide whether you are a Business Associate. If yes, then (by 9/23/13) …

• Comply with the HIPAA Security Rule– Implement administrative, physical, and

technical, and safeguards that protect the confidentiality, integrity and availability of ePHI

– Implement policies and procedures regarding the same

• Implement HIPAA Privacy Policies


Business Associate Action Items, cont’d

• Implement Breach Notification Policies• Develop a Business Associate

Agreement for downstream subcontractors

• Be ready to provide access to PHI/ePHI

• Comply with OCR/HHS Investigations


BREACH NOTIFICATION

• Old HIPAA Breach notification standard: – the breach “poses a significant risk of financial,

reputational, or other harm to the individual”

• New HIPAA Breach notification standard:– Any unauthorized use or disclosure of PHI/ePHI that

does not meet 1 of 3 exceptions is presumed to be a “breach” for which notice must occur, UNLESS the Covered Entity or Business Associate can demonstrate, through a risk assessment, that there is a “low probability that the PHI has been compromised”


BREACH NOTIFICATION, cont’d

• EXCEPTIONS TO DEFINITION OF BREACH

(1) Unintentional acquisition, access or use of PHI by a workforce member in the scope of duties – no further access or disclosure

(2) Inadvertent disclosure from one authorized person to another within a CE/BA – no further access

or disclosure

(3) Disclosure of PHI where CE/BA has good faith belief that the recipient cannot retain the information


RISK ASSESSMENT STANDARD

• Factors that must be considered:– Nature and extent of the PHI involved,

including types of identifiers and the likelihood of re-identification

– The unauthorized person who used the protected health information or to whom the disclosure was made

– Whether the PHI was actually acquired or viewed

– The extent to which the risk to the protected health information has been mitigated


BREACH NOTIFICATION PRACTICALITIES

• Encryption and destruction are the only two methods to secure PHI and make its disclosure exempt from notification requirements

• CE/BA can decide to notify WITHOUT conducting a risk assessment

• Notice to HHS (less than 500 records) has to occur within 60 days of the end of the year where breach was “discovered”, not “occurred”

• Compliance required by September 23, 2013 – in the interim, comply with old standard

• ACTION ITEMS: – Revise policies and procedures, BAAs– Train workforce


BREACH NOTIFICATION, cont’d

• MOST OTHER PRACTICALITIES OF BREACH NOTIFICATION PROVISIONS UNCHANGED– Notice to media is not changed (large number of

individuals)– Details of notification do not change– Reporting to HHS does not change, except for

the year in which the reporting obligation falls


MARKETING RULES STRENGTHENED

• Sale of PHI without authorization is prohibited– Exceptions for sale of business, public health

• Marketing communications that are paid for by a 3rd party (other than the Covered Entity) require authorization– Limited exceptions for refill reminders– Includes health-related product or service

communications

• Must provide individual with an easy way to stop fundraising communications


MARKETING REQUIREMENT EXCEPTIONS

• No authorization needed for:– Treatment or health care operations activities done

face-to-face, even if money exchanged– Communications regarding health in general– Communications about government-sponsored

programs– Refill/drug communications, including

communications about generics and adherence communications

ONE TAKEAWAY REGARDING CHANGES: REMUNERATION = AUTHORIZATION REQUIRED


INDIVIDUAL RIGHTS

• Individuals have a right to receive an electronic copy of their EHR/ePHI– Can direct the copy to go to third person

• Individuals can restrict disclosures to health plans if paying cash for treatment/services– Doesn’t apply if check bounces– Discuss bundled and follow-up services– Patient must notify downstream providers

• Family members/persons involved in care have access to records of deceased person

• Forwarding of immunization records to schools• Genetic information is treated as PHI (GINA)


Individual Access to ePHI

• Clarifications for access to ePHI– Providers not required to give direct access to their

systems– ePHI linked data must also be provided– Can provide hard copy and ePHI, if record is mixed– Don’t have to use an individual’s flash drive, etc. to

provide the copies– Unencrypted email acceptable if individual waives risk

of interception– 30 days to provide records– Charging of costs is acceptable: see state law, though


ACTION ITEMS: INDIVIDUAL RIGHTS

• Evaluate system ability to provide ePHI• Revise Notice of Privacy Practices

– Right to receive electronic copy– Marketing/sale of PHI/psychotherapy notes:

authorization required– Right to receive notice following a breach– PHI provided to family members after death– Restrict disclosures to health plan if cash paid for

services (not applicable if check bounces)– Opt-out for fundraising– Health plans: no use of genetic information for

underwriting

• Revise Policies and Procedures


Genetic Information Nondiscrimination Act (GINA)

• Provisions prohibit use of genetic information for underwriting

• Genetic information is:– Information about genetic tests of an individual

or family member– Manifestation of a disease or disorder in an

individual’s family members– Does not include age/sex– Genetic test includes DNA/RNA, but not

analysis of proteins or metabolites related to a disease


TIERED CIVIL PENALTIES

VIOLATION CATEGORY EACH VIOLATION PER YEAR

Did not know $100-$50,000 $1.5M

Reasonable cause $1000-$50,000 $1.5M

Willful neglect, corrected in 30 days $10,000-$50,000 $1.5M

Willful neglect, not corrected $50,000 $1.5M


PENALTY ASSESSMENT FACTORS

• HHS is not bound to impose the maximum penalty, but will consider:– Nature and extent of the violation– Resulting harm (number of people, reputational

harm)– Entity’s history of compliance or violations– Financial condition of the entity– Any other factors justice may require

• REMEMBER: intentional acts may be subject to separate criminal prosecution


FINAL ACTION ITEM LIST

• CE: Revise Notice of Privacy Practices• BA: Comply with Privacy & Security Rules• CE/BA: Identify Business Associates• CE/BA: Revise and enter into new/amended

Business Associate Agreements (2 different deadlines)

• CE/BA: Review any “remuneration” relationships involving PHI/ePHI

• CE/BA: Implement/revise HIPAA Policies and Procedures

• CE/BA: Train Workforce


QUESTIONS?


Emily [email protected], 303.583.8255

mailto:[email protected]

Polsinelli Shughart PC In California, Polsinelli Shughart LLP Final HIPAA Omnibus Rule Highlights...

Documents

Transcript of Polsinelli Shughart PC In California, Polsinelli Shughart LLP Final HIPAA Omnibus Rule Highlights...