Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Omnibus Final Rule: Understanding the Risks and Developing Compliance Strategy June 23, 2014 Presented by Jennifer Breuer, David Mayer and Sara Shanti.

Similar presentations

Presentation on theme: "HIPAA Omnibus Final Rule: Understanding the Risks and Developing Compliance Strategy June 23, 2014 Presented by Jennifer Breuer, David Mayer and Sara Shanti."— Presentation transcript:

1 HIPAA Omnibus Final Rule: Understanding the Risks and Developing Compliance Strategy June 23, 2014 Presented by Jennifer Breuer, David Mayer and Sara Shanti Sponsored by:

2 Program Outline 2  Background – HIPAA Omnibus Final Rule  Business Associates –New responsibilities for business associates –Changes to Business Associate Agreements that must be in place as of September 23, 2014 –Recommended compliance strategies  Security Risk Analyses  Enforcement  OCR Audits


4 Background – HIPAA Omnibus Final Rule 4  Announced on January 17, 2013  Published in Federal Register on January 25, 2013 –  Effective on March 26, 2013  Initial Compliance Date: September 23, 2013 –HHS began enforcing Final Rule on the Initial Compliance Date  Final Compliance Date: September 23, 2014 –If existing BAAs were not renewed or modified between March 26 and September 23, 2013, they will remain compliant until the earlier of: The date the BAA is renewed or modified after September 23, 2013; or September 22, 2014


6 Business Associates (BAs) 6  The HIPAA Omnibus Final Rule made the following key changes to Business Associates: –Expands definition of BAs –Expands compliance obligations applicable to BAs –Explains scope of direct liability for violations applicable to BAs –Identifies required changes to BA agreements

7 Business Associates: Definition (cont’d) 7  BAs are still BAs: –A person or entity who creates, receives, maintains, or transmits PHI on behalf of a Covered Entity Change reflected in the addition of “maintains”  Definition of BA now specifically includes: –Health Information Organization, E-Prescribing Gateway, or other person who provides data transmission services with respect to PHI to a Covered Entity and who requires access to such PHI on a routine basis –A person who offers a personal health record to one or more individuals on behalf of a Covered Entity This does not include PHR vendors that offer PHR directly to an individual and not on behalf of a Covered Entity

8 Business Associates: Definition (cont’d) 8  Subcontractors are now BAs: –Definition of “business associate” now includes a “subcontractor that creates, receives, maintains, or transmits [PHI] on behalf of the business associate” “Subcontractor” is a person to whom a BA delegates function, activity or service, other than in the capacity of a member of the workforce of such BA BA does not need to provide Subcontractor with PHI directly –A Covered Entity can provide PHI directly to a BA’s subcontractor without the subcontractor being the Covered Entity’s direct BA  Note: a BA’s disclosure of PHI for its own management, administration and legal responsibilities may not create a subcontractor relationship with the recipient

9 Responsibilities of Business Associates 9  BAs are governed by: –HIPAA Most Security Rule standards and implementation specifications extend directly to BA All relevant Privacy Rule provisions extend directly to BA Legal obligations and enforcement risks –Contracts Terms of the BAA continue to govern BAs Terms of Master Services Agreements, Confidentiality Agreements, etc. –Vicarious liability Common law BAs may be “agents” of Covered Entity

10 Responsibilities of Business Associates (cont’d) 10  BAs are now directly liable for: –Security Rule compliance Complying with administrative, physical, and technical safeguards and documentation requirements BAs must conduct a risk analysis of potential security risks and vulnerabilities –Uses and disclosures of PHI only as permitted: Under BAA – BA must comply with terms of BAA Under HIPAA – BA cannot use PHI in a manner that would be impermissible by a Covered Entity

11 Responsibilities of Business Associates (cont’d) 11  BAs also directly liable for: –Failing to notify Covered Entities of breaches of unsecured PHI –Failing to disclose PHI when required by HHS to determine compliance –Failing to disclose PHI to Covered Entity or individual to satisfy an individual’s request for electronic copy of PHI –Failing to make reasonable efforts to limit use and disclosure of PHI to minimum necessary –Failure to enter into BAAs with subcontractors

12 Responsibilities of Business Associates (cont’d) 12  A BA that becomes aware of noncompliance by a subcontractor must: –Take reasonable steps to cure the breach or end the violation –If steps are unsuccessful, terminate the relationship  Otherwise, the BA may face liability for its own noncompliance with BA requirements


14 Business Associate Agreements 14  BAAs must require BAs to: –Use appropriate safeguards for electronic PHI –Report to Covered Entity use or disclosure of PHI not provided in the BAA, including: Breaches of unsecured PHI Any security incident –Ensure that “subcontractors” agree to the same restrictions and conditions as the BA with regard to PHI –If a BA carries out a Covered Entity’s obligation under HIPAA, comply with those HIPAA requirements that would apply to Covered Entity in the performance of such obligation

15 Business Associate Agreements (cont’d) 15  Other key changes to BAAs (since last modified in June 2006): –BA must comply with the Security Rule Risk Analysis Safeguards Reporting –BA must maintain and make available information required to make an accounting of disclosures  Sample BAA –HHS released a form of BAA on January 25, 2013 – es/contractprov.html es/contractprov.html

16 Business Associates and Subcontractors 16  Must have BAAs in place, even though BAs are directly liable under many provisions of HIPAA  BAs must enter into BAAs with their subcontractors –BA may disclose PHI to a subcontractor only with a BAA –No BAA is required between Covered Entity and the BA’s subcontractor  Each BAA in the chain must be at least as stringent than the one above it regarding the uses and disclosures of PHI –Extension of rules not limited to “first tier” contractors, but to all downstream contractors  BA, as opposed to Covered Entity, is responsible for responding to any noncompliant subcontractors

17 Other BAA Terms and Trends 17  Industry trends in BAAs –BA Indemnification Specifically, related to breaches that require costly notification –Permit Aggregation –Permit De-identification –Acknowledgements of BA obligations under HIPAA –Liability could attach under agency theory


19 Compliance Strategies 19  Do not aim to “overachieve” –HHS looks to the BAA and internal policies for compliance –Where internal policies are more restrictive than HIPAA standards, HHS may determine noncompliance on the basis of policies rather than legal requirements

20 Compliance Strategies 20  More covered entities are using BAAs to transfer obligations –Some highlight BA HIPAA obligations –Some insert additional compliance requirements –Some use BAAs to limit the covered entity’s own inability Indemnification clauses Reference to MSA clauses Insurance requirements


22 Security Risk Analyses 22  HIPAA requires BAs to conduct the same security risk analysis that a Covered Entity must undertake  Covered Entities must: –Conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic protected health information held by the organization

23 Security Risk Analyses 23  OCR believes Risk Analyses are best practices in the health care industry  Covered Entities have been subject to this Security Rule requirement since April 2003 –Enforced by OCR since July 2009  In the case of a breach or other investigation, OCR will request a copy of a CE Risk Analysis: –Risk Analysis should be current Should be reviewed/revised every 2 or 3 years –Risk Analysis should reflect changes in operations E.g., implementation of new systems –Risk Analysis should address mobile devices

24 Security Risk Analyses 24  Risk Analysis should be scalable and flexible –Does not have to be a single document  Risk Analysis can be a useful business tool for determining the IT strengths and weaknesses of an organization –More and more CEs and other contractors are wanting to review their vendors’ security risk analyses  Risk Analysis requires an organization to consider what administrative, physical and technical safeguards it has in place to protect PHI

25 Elements of a Risk Analysis 25  Identify ePHI within the organization –All systems, programs and applications used to create, maintain, receive and transmit ePHI  Identify all external sources of ePHI –Third-party vendors, consultants and subcontractors  Review human and environmental threats –Current Security Measures –Likelihood of Threat –Impact of Threat  Document all of the above

26 Elements of a Risk Analysis 26  Vulnerability –A system weakness that could result in a breach  Threat –The potential for a person or thing to exercise a vulnerability  Risk –The impact considering the probability of a given vulnerability and threat  The Risk Analysis should identify each Vulnerability, Threat and Risk as High, Medium or Low


28 Enforcement Process 28

29 Enforcement Trends 29

30 Recent Enforcement Actions 30  Columbia University/New York Presbyterian Hospital (2014) –Impermissible disclosure of ePHI of 6,800 patients to Google/other search engines Disclosed PHI included patient status, vital signs, medications and lab results Computer server with access to ePHI was not properly configured –Failure to conduct accurate and thorough risk analysis –HHS investigation found: Failure to implement processes for assessing and monitoring all IT systems that accessed PHI Failure to implement policies and procedures for authorizing access to databases containing PHI Failure to follow policies on information access management –$4.8 MM resolution payment to HHS; largest settlement to date

31 Recent Enforcement Actions (cont’d) 31  Concentra Health Services (2014) –Unencrypted laptop stolen from PT department –HHS investigation found: Failure to adequately remediate and manage its identified lack of encryption –Risk analysis did not address why encryption was not reasonable and appropriate and what other measures would be taken to secure PHI Failure to implement policies and procedures to prevent, detect, contain and correct security violations –$1.7 MM resolution payment to HHS

32 Recent Enforcement Activities (cont’d) 32  Shasta Regional Medical Center (2013) –SRMC responded to media allegations of Medicare fraud by providing information about medical services provided to patient without authorization Disclosures made to California Watch, The Record Searchlight and The Los Angeles Times –SRMC also revealed the patient’s PHI to its entire workforce and medical staff without authorization –HHS investigation found: Failure to safeguard PHI Impermissible use of PHI Failure to sanction appropriate workforce members pursuant to internal sanctions policy –$275,000 resolution payment to HHS

33 Recent Enforcement Activities (cont’d) 33  Phoenix Cardiac Surgery, P.C. (2013) –Practice published patient scheduling information to publicly accessible, Internet-based calendar and transmitted ePHI from Practice’s e-mail account to workforce members’ personal e-mail account –HHS investigation found: Failure to provide and document training of workforce members on use and disclosure of PHI Failure to implement administrative and technical safeguards to protect ePHI –No Security Official identified Failure to obtain satisfactory assurances from business associates that they would appropriately safeguard ePHI –No Risk Analysis performed –No BAA in place with vendor that provided Internet-based calendar –$100,000 resolution payment to HHS

34 Recent Enforcement Activities (cont’d) 34  Future Enforcement –OCR anticipates more aggressive enforcement Attention on risk analyses Mobile devices –Monetary settlements –Corrective Action Plans  Common Law –Post-breach private actions State jurisdictions Standards of harm vary (including lack thereof)


36 2012 Implementation of Pilot Audit Program 36 Audit Protocol Design Create a comprehensive, flexible process for analyzing entity efforts to provide regulatory protections and individual rights Resulting Audit Program Conducted 115 performance audits from November 2011 through December 2012 to identify findings with regard to adherence to standards. Two phases: Initial 20 audits tested original audit protocol Final 95 audits used modified audit protocol

37 Audit Program Likely to Begin Again in 2014 37  Pilot Program is currently under review for effectiveness  Lessons from Pilot Program will be implemented in future program  Future audits likely to include CEs and BAs –1,200 candidates identified as potential audit targets Two-thirds are CEs; one-third are BAs –Number of actual audits likely to be much less than 1,200  Future audits likely to focus on Security Rule compliance –Failure to perform a thorough risk analysis is the biggest source of Security Rule violation

38 Understanding HIPAA Audits 38  NOT an investigation  Random –Does NOT indicate that a complaint has been filed or that OCR is suspicious about the audit target  NOT intended to be confrontational  Covered Entities (and BAs) need to be prepared for Audits –Provide prompt and complete cooperation during Audit –Conduct regular self-audits to prepare (at least annually) –DOCUMENT compliance activities; make sure documentation is organized and accessible

39 Who Can Be Audited? 39 Any Covered Entity For Pilot Program, OCR reviewed range of types/sizes Health plans of all types Health care clearinghouses Individual and organizational providers Any Business Associate HITECH Act permits review of BAs of all sizes

40 What to Expect During an Audit 40  Notification letter –Auditee should confirm its authenticity  Letter will request documentation (10-day turnaround)  Letter will provide notice of a site audit (30 – 90 days from date of letter)  Site Visit –Interview of key personnel –Observations of processes and operations  Receipt of Draft Report/Opportunity to Respond (10 days) –OCR will not see draft report  Issuance of Final Audit Report –OCR will receive copy of final report, which incorporates the steps the auditee has taken to resolve any compliance issues identified by the audit and describes any best practice  Audit Protocol available on OCR’s website

41 Questions? 41

42 Contact Information 42 Jennifer Breuer, Partner Drinker Biddle & Reath LLP (312) 569-1256 David Mayer, Senior Advisor Drinker Biddle & Reath LLP (312) 569-1060 Sara Shanti, Associate Drinker Biddle & Reath LLP (312) 569-1258 Or, visit our website for more information at:

43 43 Footer (edit using the slide master) | Thank you to our sponsor Iatric Systems Business Associate Manager™ manages the risk and workflow necessary for organizations to ensure due diligence with their business associate relationships. By monitoring and managing the risk of business associate agreement and providing alerts when agreements need updating. Business Associate Manager™ helps organizations protect patient privacy and build trust.

Download ppt "HIPAA Omnibus Final Rule: Understanding the Risks and Developing Compliance Strategy June 23, 2014 Presented by Jennifer Breuer, David Mayer and Sara Shanti."

Similar presentations

Ads by Google