Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 19, 2013Karen Smith Claire Turcotte © Bricker & Eckler LLP 2013 1 6189374v3.

Similar presentations

Presentation on theme: "April 19, 2013Karen Smith Claire Turcotte © Bricker & Eckler LLP 2013 1 6189374v3."— Presentation transcript:

1 April 19, 2013Karen Smith Claire Turcotte © Bricker & Eckler LLP 2013 1 6189374v3

2 © Bricker & Eckler LLP 2013  Introduction  Omnibus Rule Provisions for Discussion  Revisions to the Breach Notification Rule  Changes to Marketing, Fundraising, and Sale of PHI  Required Changes to the Content of the Notice of Privacy Practices  Enforcement  Business Associates and BA Agreements  Individual Access to PHI – Electronic Copies  Restrictions on the Disclosure of PHI to Payors  Additional Changes: PHI of Deceased Individuals, Disclosure of Immunization Records to Schools, GINA  Conclusion 2

3 © Bricker & Eckler LLP 2013  Final HIPAA omnibus rule (“Omnibus Rule” or “Final Rule”) released January 17, 2013, and published January 25, 2013 (78 Fed. Reg. 5566)  Omnibus Rule implements regulations regarding numerous aspects of the HITECH Act  Effective March 26, 2013. Compliance date for CEs and BAs is September 23, 2013, for everything (except grandfathered BAs)  Note: abbreviations CE, PHI, BA, used in slides for efficiency, including in quotes from Omnibus Rule 3

4 Karen Smith © Bricker & Eckler LLP 2013 4

5  Definition of Breach “Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E of this part which compromises the security or privacy of the PHI” “Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: … [see slide 6]”  Changes  Removal of Risk of Harm  Presumption of Breach 5

6 © Bricker & Eckler LLP 2013  Four Objective Factors  Nature and extent of the PHI involved  Unauthorized person who used the PHI or to whom the disclosure was made  Whether the PHI was actually acquired or viewed  Extent to which the risk to the PHI has been mitigated 6

7 © Bricker & Eckler LLP 2013  The Final Rule adopted the three exceptions found in the Interim Final Rule without modification  Unintentional acquisition, access or use of PHI  Inadvertent disclosure of PHI  Unauthorized disclosure without the ability to retain the information 7

8 © Bricker & Eckler LLP 2013  The Final Rule adopts all of the notification requirements with a minor change  Covered entities are now required to notify HHS of all breaches affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were discovered 8

9 © Bricker & Eckler LLP 2013  The Final Rule requires a covered entity to perform a breach assessment if a limited data set is used or disclosed in an impermissible manner even if the limited data set excludes zip codes and birth dates 9

10 © Bricker & Eckler LLP 2013  All covered entities must comply with the new breach notification requirements by September 23, 2013  Update policies & procedures for reporting, analyzing and documenting a possible breach  Train workforce members regarding revised policies & procedures 10

11 Claire Turcotte © Bricker & Eckler LLP 2013 11

12 © Bricker & Eckler LLP 2013  “Marketing” means: “To make a communication about a product or service that encourages recipients to purchase or use the product or service”  Final Rule requires authorization for all treatment and health care operations communications where the CE receives “financial remuneration” for making the communications from a third party whose products or services are being  The authorization must state that “financial remuneration is involved (note: “financial remuneration” does not include in-kind or non-financial benefits) 12

13 © Bricker & Eckler LLP 2013  Exceptions from “marketing” include:  If “financial remuneration” is reasonably related to the CE’s cost of making the communication: Communications for refill reminders or about drugs or biologics currently prescribed for the individual and generic equivalents Communications reminding patients to adhere to instructions about their currently prescribed medications Communications about drug delivery systems when an individual is prescribed a self-administered drug or biologic Costs of labor, supplies and postage to make the communication are “reasonably related” (e.g., drug manufacturer can cover these costs) 13

14 © Bricker & Eckler LLP 2013  Exceptions from “marketing” (cont’d):  If the CE receives no “financial remuneration”: Communications about the CE’s own health-related products and services Case management or care coordination communications regarding alternative treatments, therapies, health care providers, or settings of care 14

15 © Bricker & Eckler LLP 2013  Face-to-face communications (even if CE receives “financial remuneration”); telephone is not face-to-face  Promotional gifts of nominal value  Communications promoting health in general that do not promote a product or service from a particular provider (e.g., promoting a healthy diet)  Communications about government and government- sponsored programs  Communications that do not involve PHI (e.g., CE uses a purchased mailing list not derived from PHI) 15

16 © Bricker & Eckler LLP 2013  The CE can use certain limited PHI for purposes of raising funds for its own benefit  PHI limited to demographic information relating to an individual and date of health care provided to an individual  Concern that limited set of permitted PHI restricts a CE’s ability to target fundraising communications  Particular concern about ability to avoid inappropriate communications to patients who may have had bad outcomes 16

17 © Bricker & Eckler LLP 2013  Expanded categories of PHI that can be used for fundraising without authorization  If a CE meets specified conditions, it can use or disclose PHI to a BA or an institutionally-related foundation for fundraising without patient authorization including:  Demographic information (name, address, contact information, age, gender, DOB)  Department of service (e.g., cardiology)  Treating physician  Outcome information (including death or sub-optimal outcome)  Health insurance status 17

18 © Bricker & Eckler LLP 2013  To use or disclose PHI for fundraising, the CE must:  Include in its NPP a statement that the CE may contact the individual for fundraising and the individual has a right to opt-out  If an individual does opt-out, their choice must be treated as a revocation of authorization, which then prohibits the CE from sending further fundraising communications  In each fundraising communication, provide a clear and conspicuous opportunity for the individual to opt-out of fundraising communications 18

19 © Bricker & Eckler LLP 2013  Ensure that the method to opt-out of fundraising communications cannot cause the individual to incur an undue burden or more than a nominal cost  Not condition treatment or payment on the individual’s choice with respect to receipt of fundraising communications  Not make fundraising communications to an individual who has elected not to receive fundraising communications 19

20 © Bricker & Eckler LLP 2013  CEs may provide individuals with a method to opt back in.  CEs can choose method to opt-out; suggestions include:  Toll-Free Numbers  E-mail address  Requiring return of preprinted postcard (not an “undue burden”)  But not requiring a written letter (is an “undue burden”)  Size of population to whom sending communications and geographic distribution and other similar factors should be considered in choosing an appropriate opt-out method  Making a donation after having opted out is not an appropriate opt-in method; individual must make a separate election to opt-in 20

21 © Bricker & Eckler LLP 2013  Covered Entities have discretion to determine the scope of the opt-out  If a Covered Entity can track campaign-specific opt-outs, it can use a campaign-specific opt-out  Covered Entities can permit individuals to elect whether to opt-out of all fundraising communications, or only for specific campaign(s)  Generally, communication must clearly inform the individual of their options 21

22 © Bricker & Eckler LLP 2013  No direct or indirect receipt of remuneration in exchange for receiving PHI, except if pursuant to patient authorization meeting specified requirements  Sale includes access, license, lease or transfer of ownership of PHI  Remuneration includes both financial and in-kind (unlike “marketing”) 22

23 © Bricker & Eckler LLP 2013  Public health purposes  Research purposes where only remuneration is a reasonable cost-based fee to cover the costs of preparation and transmittal of data  Treatment and payment purposes  Sale, transfer, merger or consolidation of all or part of the Covered Entity (or related due diligence)  Services of a business associate (or subcontractor) at the request of the Covered Entity and only payment is for such services 23

24 © Bricker & Eckler LLP 2013  Providing an individual with access to his/her own PHI  When required by law  Other purposes permitted by the Privacy Rule, where remuneration received is a reasonable cost-based fee to cover the costs of preparation and transmittal or a fee otherwise expressly permitted by law (e.g., disclosure of limited data sets for permitted purposes) 24

25 Claire Turcotte © Bricker & Eckler LLP 2013 25

26 © Bricker & Eckler LLP 2013  Additions to the NPP  Statement that the following uses and disclosures will be made only with patient authorization: Uses and disclosures for marketing purposes Uses and disclosures for the sale of PHI Most uses and disclosures of psychotherapy notes Other uses and disclosures not described in the NPP  Right to a notice in the event of breach  Right to opt-out of fundraising communications 26

27 © Bricker & Eckler LLP 2013  Additions to the NPP – Providers Only  Right to restrict disclosures of PHI to health plans if an individual has paid for services out-of-pocket, in full, and the individual requests that the provider not disclose PHI related solely to those services 27

28 © Bricker & Eckler LLP 2013  Additions to the NPP – Health Plans Only  Statement that the health plan is prohibited from using or disclosing genetic information for underwriting purposes  Exception for certain issuers of long-term care policies 28

29 © Bricker & Eckler LLP 2013  Deletion from the NPP  Statement that the CE may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits or services HHS notes that CEs may choose to leave this in the NPP 29

30 © Bricker & Eckler LLP 2013  Posting and Distribution of Revised NPP  HHS deems this to be a material revision of the NPP  All CEs must revise their NPP by September 23, 2013  Providers must make the revised NPP available to existing patients upon request, post the revised NPP to their websites (if applicable), and post the revised NPP in a prominent location on the premises  New patients who receive services after modification of the NPP must be provided with a copy of the revised NPP  Health Plans must either distribute the revised NPP within 60 days of the change (if they do not post the NPP to a website) or post the NPP to their website and notify all members of the changes in the next annual mailing 30

31 Karen Smith © Bricker & Eckler LLP 2013 31

32 © Bricker & Eckler LLP 2013  Determination of Civil Monetary Penalties (CMPs)  Retains proposed rule’s CMP structure for violations based on tiered levels of culpability Violation Category Penalty for Each Violation Maximum for All Violations of an Identical Provision in a Calendar Year Did Not Know$100-$50,000$1,500,000 Reasonable Cause$1,000-$50,000$1,500,000 Willful Neglect - Corrected $10,000-$50,000$1,500,000 Willful Neglect – Not Corrected $50,000$1,500,000 32

33 © Bricker & Eckler LLP 2013  Determination of Civil Monetary Penalties (CMPs)  HHS will not impose maximum penalty in all cases  CMPs will be calculated on a case-by-case basis depending on these factors: Nature and extent of violation Nature and extent of resulting harm History of non-compliance of the entity  HHS will consider prior non-compliance even if there was no formal finding of a violation Financial condition of the entity 33

34 © Bricker & Eckler LLP 2013  Affirmative Defenses  Prohibits imposition of penalties for any violation that is corrected within 30 days, as long as the violation was not due to willful neglect  Removes affirmative defense that covered entity did not know and with exercise of reasonable diligence could not have known of a violation (Now Tier 1 violation)  CMP may not be imposed if a criminal penalty has already been imposed for the violation 34

35 © Bricker & Eckler LLP 2013  Investigations  HHS no longer has discretion as to whether to initiate an investigation when its preliminary review indicates there may be a violation due to willful neglect  HHS retains sole discretion to decide whether to initiate an investigation or compliance review when its preliminary review indicates there may be a violation and the degree of culpability was less than willful neglect  HHS is no longer required to try to resolve violations by informal means 35

36 © Bricker & Eckler LLP 2013  Liability for Business Associate “Agents”  Adopts proposal to make covered entities and business associates liable for their business associates who are their agents under federal agency law  Whether a business associate is considered an agent of the CE will be a fact-specific determination  Labels used by the parties (e.g., “independent contractor”) will not control whether an agency relationship exists  Business associate may be an agent even when acting in violation of a business associate agreement, if acting for the benefit of the covered entity 36

37 Claire Turcotte 37 © Bricker & Eckler LLP

38 © Bricker & Eckler LLP 2013  HITECH introduced radical changes:  BAs directly subject to certain security standards and the privacy requirements set forth in HITECH  administrative safeguards 45 CFR 164.308  physical safeguards 45 CFR 164.310  technical safeguards 45 CFR 164.312  policies, procedures and documentation requirements 45 CFR 164.316  BAs subject to requirements under Notice of Breach rules  BAs subject to civil and criminal penalties same as CEs 38

39 © Bricker & Eckler LLP 2013  Adopts HITECH changes and also makes new changes for BAs:  Makes additional Security Rules applicable to Bas  Applies minimum necessary rule to BAs  Expands definition of “Business Associate” to include subcontractors of BAs  Clarifies definition of BAs to include Patient Safety Organizations, Health Information Exchanges, Personal Health Records (or entities offering such services on behalf of a CE)  Makes CEs liable for violations of BAs that are acting as agents of the CEs 39

40 © Bricker & Eckler LLP 2013  Omnibus Rule revisions to specify BA’s permitted and required uses and disclosures of PHI  BAs not subject to all Privacy Rule requirements. BA not required to comply with Notice of Privacy Practices requirement, for example  But Omnibus Rule revised Privacy Rule to require BAs to comply with general rule on use/disclosure of PHI  BAs can use or disclose PHI per the BA contract or as permitted by the Privacy and Security Rule 40

41 © Bricker & Eckler LLP 2013  HHS commentary:  “BAs are directly liable under the HIPAA Rules for impermissible uses and disclosures, for a failure to provide breach notification to the covered entity, for a failure to provide access to a copy of electronic PHI to either the CE, the individual, or the individual’s designee (whichever is specified in the BAA), for a failure to disclose PHI where required by the Secretary to investigate or determine the BA’s compliance with the HIPAA Rules, for a failure to provide an accounting of disclosures, and for a failure to comply with the requirements of the Security Rule. BAs remain contractually liable for other requirements of the BAA…”  BA “becomes” a BA by definition, not by the act of signing a BAA. BA liable under HIPAA upon acting as a BA; not contingent on executed BAA 41

42 © Bricker & Eckler LLP 2013  Omnibus Rule expressly makes applicable to BAs:  “Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”  Note: applies to BAs using or disclosing PHI and disclosures by CEs to BAs and requests from BAs to CEs. CEs should not disclose more PHI than necessary to BAs; having BAA does not allow unlimited exchange of PHI 42

43 © Bricker & Eckler LLP 2013  Omnibus Rule makes following additional provisions of the Security Rule applicable to BAs:  45 CFR 164.306: Security Standards “(a) General requirements. Covered entities and business associates must do the following: Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits Protect against any reasonably anticipated threats or hazards to the security or integrity of such information Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part Ensure compliance with this subpart by its workforce”  45 CFR 164.314: Organizational Requirements Business Associate contract requirements 43

44 © Bricker & Eckler LLP 2013  Omnibus Rule adds language to the definition of “Business Associate” to clarify that Patient Safety Organizations, Health Information Exchanges, and Personal Health Records, (or entities offering these services) are BAs  45 CFR 160.103: “(1) [Business associate means] a person who (i) On behalf of [the CE] creates, receives, maintains, or transmits [PHI] for … patient safety activities listed at 42 CFR 3.20 … (3) [Business associate includes: (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to [PHI] to a [CE] and that requires access on a routine basis to such [PHI]. (ii) A person that offers a personal health record to one or more individuals on behalf of a [CE] …” 44

45 © Bricker & Eckler LLP 2013  Omnibus Rule expands the definition of “Business Associate” to include subcontractors of BAs who create, receive, maintain or transmit PHI from the BA  Subcontractors are persons to whom a BA has delegated a function, activity, or service the BA has agreed to perform for a CE or BA and where that function, activity, or service involves the creation, receipt, maintenance, or transmission of PHI  Can have multiple downstream subcontractors  BA must have a BA Agreement with each subcontractor, and subcontractors must have BA Agreements with its subcontractor BAs 45

46 © Bricker & Eckler LLP 2013  Subcontractors BA Agreements:  Not required for CE to have BAA with subcontractors of the CE’s BAs  BAA between BA and subcontractor may not permit subcontractor to use/disclose PHI in manner not permitted by the BA. Each BAA in a chain, from CE to BA to subcontractors, must be as stringent or more than the last  Compliance date for having these in place is September 23, 2013; subject to extension for grandfathered agreements, see slide 21 46

47 © Bricker & Eckler LLP 2013  You will need to revise your BAAs because:  Additional provisions of Security Rules are now applicable to BAs  Minimum necessary rule now applicable to BAs  Definition of “breach” has changed. If the BAA defines breach or outlines assessment of what is a breach, this is not likely to comply with Omnibus Rule requirements  While old BAAs usually said “BA must ensure subcontractor agrees to the same restrictions,” you will want to make clear that this means BA must enter into a BAA with subcontractors  Consider adding indemnification of CE by BA for BA and its subcontractors’ compliance with Privacy and Security Rule requirements 47

48 © Bricker & Eckler LLP 2013  Compliance date:  September 23, 2013  Extended compliance date for grandfathered BAAs:  September 23, 2014  If the BAA was in place before January 25, 2013, and complied with the then-current rules, and it is not renewed or modified on or after March 26, 2013  Applies to agreements between BAs and subcontractors, but note must have had written agreement that complied with 45 CFR 164.314(a) and 45 CFR 164.504(e) 48

49 Claire Turcotte 49 © Bricker & Eckler LLP

50 © Bricker & Eckler LLP 2013  Individuals may request and CEs must now provide an individual with a copy of their PHI that is maintained by the CE as electronic PHI in a designated record set, in the electronic form and format requested by the individual if such format is readily producible  If the requested format is not readily producible, the CE must offer to produce the electronic PHI in at least one readable electronic format  If the individual declines all available electronic formats, provide a hard copy 50

51 © Bricker & Eckler LLP 2013  CEs do not need to purchase new software or hardware to accommodate requests for various types of formats; however, they must be able to provide some form of readable electronic copy  For CEs with medical records in mixed media (i.e., some paper and some electronic PHI), the CE may provide a combination of electronic and hard copies to the individual  Records maintained in hard copy do not need to be scanned 51

52 © Bricker & Eckler LLP 2013  A CE is not required to use an individual’s flash drive or other device to transfer the electronic PHI if the CE has security concerns regarding the external portable media  If an individual requests to receive the electronic copy via unencrypted email and secure email is unavailable, the CE may decide whether or not to send the electronic copy via unencrypted email  However, if unencrypted email is used, the CE must advise the individual of the risk that the information could be read by a third party 52

53 © Bricker & Eckler LLP 2013  If requested by an individual, a CE must transmit the electronic copy directly to another person designated by the individual  HHS clarified that CEs may rely on information provided by the individual regarding the third-party recipient, but they must implement policies and procedures to verify the identity of any person requesting PHI and implement reasonable safeguards to protect the information disclosed 53

54 © Bricker & Eckler LLP 2013  CEs may charge reasonable cost-based fees to individuals for providing access to PHI, including providing a copy in electronic format, including  labor costs,  supplies for creating electronic media (e.g., discs, flash drives) if the individual requests the copy on portable media, and  postage  BA system maintenance, storage cost, new terminology, retrieval fees not permitted 54

55 © Bricker & Eckler LLP 2013  Under the state law preemption provisions of HIPAA, a state law imposing lower costs limits would apply. Conversely, if state law permits higher costs, then the lower HIPAA limits would apply 55

56 © Bricker & Eckler LLP 2013  The Final Rule decreases the total time CEs have to respond to requests for access from 90 to 60 days (by removing the provision allowing an additional 30 days if PHI is not maintained on-site)  CEs may provide the individual written notice of a one-time extension of up to 30 days, including the reason for the delay and the expected date of completion 56

57 Karen Smith 57 © Bricker & Eckler LLP

58 © Bricker & Eckler LLP 2013  The general rule is that a CE is not required to accept restrictions on the use and disclosure of PHI  Final Rule created an exception, and requires a CE to agree to a restriction if:  the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and  the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the CE in full 58

59 © Bricker & Eckler LLP 2013  CEs are not required to create separate medical records or otherwise segregate PHI subject to a restriction  CEs will need to flag restricted PHI or make a notation in the record that the PHI has been restricted  CEs are not required to abide by a restriction if an individual’s payment is dishonored, but they must make a reasonable effort to contact the individual and obtain payment prior to billing a health plan 59

60 © Bricker & Eckler LLP 2013  The Final Rule limits the time period that PHI of deceased individuals must be protected to 50 years  This is not a record retention requirement  A covered entity may disclose a deceased individual's PHI to family members and others who were involved in the care or payment for care of the individual prior to death, unless the disclosure is inconsistent with any prior expressed preference of the individual 60

61 © Bricker & Eckler LLP 2013  The Final Rule permits a CE to disclose proof of immunization to a school if the school is required by law to have such information prior to admitting the student  Written authorization will no longer be required  CEs are required to obtain written or oral agreement from a parent or guardian and document the agreement  A signature is not required  An email from the parent, or a notation of a phone call in the child’s medical record or elsewhere would suffice as documentation 61

62 © Bricker & Eckler LLP 2013  Adopts the definition of “genetic information” from Genetic Information Nondiscrimination Act of 2008 (GINA), which includes:  The individual’s genetic tests  Genetic tests of family members  Family medical history  Clarifies that tests such as HIV tests, blood counts, cholesterol or liver function tests, or tests to detect the presence of alcohol or drugs, are not genetic information  Defines genetic information to include information about a fetus or embryo  Specifically excludes age and sex from the definition of genetic information 62

63 © Bricker & Eckler LLP 2013  Prohibits the use of genetic information for underwriting  “Underwriting,” includes the following:  the determination of eligibility and enrollment  premium or contribution amounts, including reduced cost sharing amounts or rewards under a wellness program  the application of any pre-existing condition exclusion  other activities related to the creation, renewal or replacement of a contract of health benefits  The use of genetic information is permitted when an individual is seeking a particular benefit and the genetic information is needed to determine the medical appropriateness of providing the benefit 63

64 © Bricker & Eckler LLP 2013  The prohibition on using genetic information for underwriting under GINA is expanded to include all entities included in the definition of “health plan,” except for long term care plans  e.g. Medicare, Medicaid, high risk pools, excepted benefits such as dental and vision  The prohibition does not apply to providers  The prohibition applies to all genetic information from the compliance date of the Final Rule forward, regardless of when or where the genetic information originated 64

65 © Bricker & Eckler LLP 2013  Compliance Date  CEs must be in compliance with the Final Rule by September 23, 2013 (with exception of grandfathered BA Agreements)  This means your policies and procedures, BA Agreements and NPPs must be revised by September 23, 2013 65

66 © Bricker & Eckler LLP 2013 Resources  HIPAA Regulations:  eAlerts:  On-line Compliance Program: 66

67 © Bricker & Eckler LLP 2013 Karen Smith 614.227.2313 Claire Turcotte 513.870.6573 67 6189374v3

Download ppt "April 19, 2013Karen Smith Claire Turcotte © Bricker & Eckler LLP 2013 1 6189374v3."

Similar presentations

Ads by Google