HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
HIPAA Compliance Compliance is more than a Notice of Privacy Practices… Privacy Rule – Been there, done that, right? –Recent changes/proposed rule Security Rule – Been there? Done that? –Full risk analysis Breach Notification – Hope you don’t go there… –Missing addresses? Time to alert the media!
Privacy Rule: The Basics Notice of Privacy Practices –Updated? –Acknowledged? –Provided? Authorizations –HIPAA Compliant –Properly retained Policies –Updated? –Training? Business Associate Agreements –Organized, updated, appropriate?
Privacy Rule: Patient Rights Under HIPAA Inspect and copy PHI Request amendments of errors or incomplete information Obtain accounting of disclosures Obtain a list of persons who have accessed PHI electronically Request a restriction of uses/disclosures –HITECH change Receive confidential communications Receive Notice of Privacy Practices File written complaints 4
Changes to Privacy Rule: Accounting of disclosures Proposed Rule divides patient rights into: –(a) Individual’s rights to accounting of disclosures –(b) Individual’s right to an access report Disclosures would: –Be limited to designated record sets –Include business associates –Have an accounting period of 3 years –Specifically list types of disclosures 5
Changes to Privacy Rule: Business Associates Business Associates are now directly subject to HIPAA Are you a business associate? Are you in compliance with HIPAA?
Security Rule Safeguards: How they Apply Security Rule –Administrative Safeguards – who can access? –Physical Safeguards – how can access be physically prevented? –Technical Safeguards – what programs protect access? Required v. Addressable Conducting a Risk Analysis Documenting the Risk Analysis
Security Safeguards 45 CFR Part 164 – Generally requires ensuring confidentiality, integrity and availability of PHI, and protections against reasonably anticipated threats, unauthorized uses, etc. Applicable to covered entities, business associates, others (via grant or contract) Safeguards Example: –Standard (Security management process) –Implementation Specifications Risk analysis (required) Risk management (required) Sanction policy (required) Information system activity review (required)
Flexibility of Approach Required v. Addressable –If something is required, all covered entities must implement –If something is addressable, covered entity must: Assess whether it is a reasonable and appropriate safeguard Implement if reasonable and appropriate If not reasonable and appropriate: –Document why; and –Implement alternative if available, reasonable and appropriate Review and revise as necessary May want to use for paper PHI as well, but not required
Flexibility of Approach In determining what is reasonable and appropriate, must look at: –Size, complexity and capabilities –Technical infrastructure, hardware and software –Costs of security measures –Probability and criticality of potential risks –Likely contribution to protecting the ePHI Important to reassess as organization changes –Growth –Changes in focus –Changes in technology –Changes in information stored
Risk Analysis: Recent Guidance Office for Civil Rights posted guidance pursuant to HITECH requirement on July 14, 2010 First in a series of guidance to implement Security Rule safeguards Some NIST recommendations incorporated Not required to follow, but need to document why not –May have already conducted a risk analysis in different format –May not be appropriate for your organization
Risk Analysis (Required) (a)(1)(ii)(A): –Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization. What is “accurate”? What is “thorough”? All potential risks? ePHI “held by the organization”
Where to start? Get the right people involved: –Management –IT –HR –Medical records personnel –EHR experts Identify the ePHI in your client’s organization*: –EHR program – s –Documents (word, excel, etc.) –Databases –Metadata *mentioned in OCR guidance
What next? Identify where ePHI is generated: –Internally –Externally – what are the external sources?* Inventory the equipment with ePHI: –Laptops –Desktops –Hard drives –Servers –Mobile devices –Copiers, faxes, scanners
What resources do we need? Gather the applicable documentation: –Security Rule –Organization Policies and Procedures –List of staff –Computer manuals & EHR instructions –IT/Compliance budget information –Cost information for available technology –Information about alternatives –Old audit reports or information about risks* Human risks Natural/environmental risks Technical risks
Required Elements of Risk Analysis Scope of the Analysis Data Collection Identify and Document Potential Threats and Vulnerabilities Assess Current Security Measures Determine the Likelihood of Threat Occurrence Determine the Potential Impact of Threat Occurrence Determine the Level of Risk Finalize Documentation Periodic Review and Update
How to Document Risk Analysis Set up a template – many safeguards will consider the same information, same underlying documentation and same risks Make a list of all safeguards that you are already in compliance – these can be taken off the risk analysis list Make a list of all the remaining safeguards –If there are a lot, prioritize –If there are only a few consider benefit of implementation vs. performing risk analysis Make master list that indicates compliance and/or risk assessment
HIPAA Breach Notification Rule Interim Rule effective Sept. 23, 2009 Final Rule ready May 2010, but withdrawn from OMB review before published Interim Rule still in effect until Final Rule is published nrule/index.html 18
HIPAA Breach Notification Rule 19
HITECH Breach Reporting Only covers unsecured protected health information Written notification More than 500 affected requires notice to media Notice within 60 days of discovery Specific notice requirements Notice to HHS or annual log of breaches
What is a “breach”? Acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. Only applies to “unsecured PHI”, such as unencrypted data on a laptop, etc.
Exceptions to Breach Secured PHI Unintentional, good faith acquisition, access or use by person working under authority of covered entity, if within scope of authority and no further use or disclosure. Disclosures within same entity, or between entity and business associate or OHCA, under same terms. Good faith belief that no information could have been retained.
Reporting is Required – How Do We Do It? Reporting Methods Written notification by first class mail, unless individual has agreed to electronic communication. Website or major media if insufficient contact info for more than 10 people. Media notification required if more than 500 affected. Reporting details Within 60 days of discovery of breach. Must include: –Brief description of breach including date of breach and date of discovery. –Description of PHI involved. –Steps individual should take to protect themselves. –Brief description of mitigation, investigation and protection measures taken by entity. –Contact info for questions, including toll-free phone, , website or address.
Web Resources for HIPAA DHHS Office of Civil Rights –Rules (Privacy, Security, Breach Notification) –FAQs and other informal guidance –Understanding HIPAA Privacy – Covered Entities –Enforcement Activities –Privacy Complaints –Proposed Rules: Google “Proposed HIPAA Regulations” – hhs.gov or other sources only Sign up for listserv: es/listserv.html es/listserv.html 24
Web Resources for HIPAA 25
DHHS New(er) Websites Health Data Privacy and Security Resources –Privacy policies, HIPAA, Privacy & Security Framework Office of the National Coordinator for HIT gov__home/ gov__home/1204 –HITECH, Funding, updates, Regulations 26
DHHS New(er) Websites 27
Questions? Carolyn Heyman-Layne Sedor, Wendlandt, Evans & Filippi, LLC (907)