2013 HIPAA/ HITECH UPDATE Dirk D. Wilke, J.D., M.B.A. North Dakota Department of Health HIPAA Coordinator and Privacy Officer
HIPAA/HITECH Overview HIPAA stands for the “Health Insurance Portability and Accountability Act” of 1996 HITECH stands for Health Information Technology for Economic and Clinical Health. Established in 2009 45 CFR parts 160 and 164
Who must comply with HIPAA/HITECH HIPAA All covered entities and business associates as defined by HIPAA are required to comply with both HIPAA’s privacy and security rules HITECH Applies to covered entities, business associates, and vendors of personal health records and certain other entities must comply with the HITECH Act.
Covered Entities Health Care Providers This includes all health care providers, regardless of practice size, provided that they transmit health information electronically. The specific electronic transactions subject to this rule are those that are covered under the HIPAA Transactions Rule. Providers subject to the Privacy rule include: o Doctors, o Clinics, o Psychologists, o Dentists, o Chiropractors, o Nursing Homes, and, o Pharmacies.
Covered Entities Health Plans Medical, Dental, and Vision Plans HMOs Medicare and Medicaid Medicare+Choice and Medicare Supplement Insurers Long-Term Care Insurers (excluding nursing home fixed-indemnity policies) Veterans Health Plans Company Health Plans Exceptions include: A group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Government-funded programs whose principal purpose is not providing or paying the cost of health care; Government-funded programs whose principal activity is directly providing health care or the making of grants to fund the direct provision of health care; and, Certain types of insurance entities such as those providing only workers' compensation, automobile insurance, and property and casualty insurance.
Covered Entities Health Care Clearinghouses Entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. This includes: o Billing Services, o Repricing Companies, o Community Health Management Information Systems, and, o Value-added networks and switches if these entities perform clearinghouse functions.
Business Associate A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered entity can be a business associate of another covered entity. Examples of Business Associates. A third party administrator that assists a health plan with claims processing. A CPA firm whose accounting services to a health care provider involve access to protected health information. An attorney whose legal services to a health plan involve access to protected health information. A consultant that performs utilization reviews for a hospital. An independent medical transcriptionist that provides transcription services to a physician.
What is Protected Health Information? Protected Health Information or PHI is personally identifiable information linked to a health event. Examples could include: Names All geographic subdivisions smaller than state (city, county, zip code, etc) All elements of dates (except year) or dates directly related to a person Phone numbers Fax numbers addresses Social Security Numbers Health insurance information Photos Medical record numbers Account numbers Certificate/license numbers Health information (e.g., lab results, medical history)
HIPAA Exceptions HIPAA allows the use or disclosure of PHI for Treatment- providing care to patients Payment- the provision of benefits and premium payments Operations- normal business activity (reporting, training, quality improvement, eligibility checking) These terms collectively are known as TPO. In most cases, PHI used outside of TPO unless permitted or required by law is not allowed without a signed authorization.
Public Health Exception The Privacy Rule permits covered entities to disclose protected health information, without authorization, to public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability. Examples include: the reporting of a disease or injury; reporting vital events, such as births or deaths; conducting public health surveillance, investigations, or interventions. See 45 CFR (b)(1)(i).
Who is a Public Health Authority? A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate. See 45 CFR Examples of a public health authority include State and local health departments, the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention, and the Occupational Safety and Health Administration (OSHA).
Minimum Necessary Standard When using, distributing, or requesting PHI, it must be limited to the PHI minimum necessary to complete the request. Verify amount of information being used is reasonable Limit access to PHI to those who require it to do their jobs
2013 HIPAA/ HITECH Changes LOTS The long-awaited final omnibus rule (Omnibus Rule) that modifies the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was announced on January 25, Leon Rodriguez, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) calls the changes the “most sweeping” since the HIPAA Privacy and Security Rules were first implemented.
2013 HIPAA/HITECH Changes The Omnibus Rule took effect on March 26, 2013 HIPAA covered entities and business associates generally have 6 months – until September 23, 2013 – to become compliant with the Omnibus Rule.
2013 HIPAA/HITECH Changes 1. Breach Notification Standard Lowered 2. Expanded Definition of Business Associate 3. Application of HIPAA to Business Associates 4. New Requirements for Business Associates 5. New Requirements for Notice of Privacy Practices 6. Fundraising 7. Expanded Patient Rights 8. Increased Flexibility with Diseased Patients 9. Civil Monetary Penalties
Breach Notification Standard Lowered Previous standard- a Covered Entity or Business Associate must conduct a risk assessment to determine whether the use or disclosure of PHI in question “poses a significant risk of financial, reputational, or other harm to the individual.”
Breach Notification Standard Lowered Under the Final Rule, an improper use or disclosure of PHI is presumed now to be a breach unless the Covered Entity or Business Associate “demonstrates that there is a low probability that the protected health information has been compromised” through a risk assessment of at least four factors set forth in the new regulations: 1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. 2. The unauthorized person who used the PHI or to whom the disclosure was made. 3. Whether the PHI was actually acquired or viewed. 4. The extent to which the risk to the PHI has been mitigated.
Expanded Definition of Business Associate The Final Rule broadens the definition of Business Associate under HIPAA, such that HIPAA now applies to a whole new group of entities that will all need to be compliant by September 23, The Final Rule clarifies that the following persons and entities are now Business Associates under HIPAA:
Expanded Definition of Business Associate Any person or entity that provides data transmission services of PHI to a Covered Entity and requires access on a routine basis to such PHI. Covered Entities will need to review their relationships with vendors and others who transmit PHI on their behalf and determine whether that person or entity requires access to its PHI on a routine basis. Any subcontractor of a business associate that handles PHI. If a Business Associate subcontracts part of its function requiring access to or use of PHI to another organization, that subcontractor is now a Business Associate under HIPAA, and under the new regulations, there must be a written agreement in place between the Business Associate and its subcontractor that meets all of the requirements of a Business Associate Agreement under HIPAA. The Final Rule also makes it clear that in this situation, it is the Business Associate who retains the subcontractor, and not the Covered Entity, that is responsible for ensuring there is a proper Business Associate Agreement in place. Any entity that maintains PHI on behalf of a Covered Entity. Under the Final Rule, a Business Associate now includes a person or entity that maintains PHI on behalf of a Covered Entity, even if that person or entity does not access or view the PHI. If a Covered Entity uses an outside organization to store and/or maintain its PHI, it now needs to make sure it has a Business Associate Agreement in place with that vendor that meets all the requirements under HIPAA.
Application of HIPAA to Business Associates The Final Rule applies certain HIPAA privacy, security, and enforcement regulations directly to Business Associates, and provides that if a Business Associate violates any HIPAA provision that is now directly applicable to it, the Business Associate is subject to all criminal and civil penalties under HIPAA, which were increased significantly under HITECH. Under the revised HIPAA regulations, Business Associates are now directly liable for: 1. Impermissible uses or disclosures of PHI; 2. Failure to provide proper breach notification to a Covered Entity; 3. Failure to provide appropriate access to an electronic copy of PHI to a Covered Entity, individual, or individual’s representative; 4. Failure to disclose PHI when required by HHS to investigate the Business Associate’s compliance with HIPAA; 5. Failure to provide an accounting of disclosures; 6. Failure to comply with the applicable requirements of the Security Rule. Perhaps most significantly, the Final Rule provides that if a Business Associate violates a provision of a Business Associate Agreement, that contractual violation is now a HIPAA violation. The Final Rule also states that Business Associates must comply with HIPAA’s “minimum necessary” standard and only use, disclose, or request PHI from another entity if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.
New Requirements for Business Associate Agreements Under the new regulations, Business Associate Agreements must now require that the Business Associate will do the following: 1. Comply, where applicable, with the HIPAA Security Rule; 2. Report breaches of unsecured PHI to the Covered Entity as required under the breach notification rules; 3. Make certain that any subcontractors that create or receive PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate (there must now be a Business Associate Agreement in place between a Business Associate and its subcontractors in these circumstances); and 4. Comply with the requirements of the HIPAA Privacy Rule whenever the Business Associate is required to perform the Covered Entity's obligation under the Privacy Rule. Business Associate Agreements entered into prior to January 25, 2013, between Covered Entities and Business Associates (as well as Business Associates and their subcontractors) that are not renewed or modified between March 26, 2013, and September 23, 2013, and that met the requirements of HIPPA and HITECH prior to January 25, 2013, will be granted grandfathered status and deemed to continue in compliance until September 23, 2014, or the date the contract is renewed or modified, whichever occurs first. All other Business Associate Agreements must be in compliance with the new regulations by September 23, 2013.
New Requirements for Notice of Privacy Practices The Final Rule requires Covered Entities to revise their Notice of Privacy Practices to include a statement that: 1. Describes the types of uses and disclosures that require authorization under HIPAA (if the Covered Entity intends to engage in any of them); 2. Informs individuals that they have the right to opt out of receiving fundraising communications (if the Covered Entity uses PHI to conduct fundraising activities); 3. Informs individuals that they have a right to pay out-of-pocket for a service and the right to require that the Covered Entity not submit PHI to the individual’s health plan if they do so; and 4. Informs individuals that the Covered Entity has a duty to notify affected individuals following a breach of unsecured PHI.
Fundraising The Final Rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of individuals’ health information without their permission. The Final Rule tightens the rules about providing individuals the opportunity to opt out of receiving future fundraising materials and requires clear instructions on how to opt-out.
Expanded Patient Rights Under the Final Rule, a Covered Entity is required to abide by an individual’s request to restrict the disclosure of PHI to a health plan if the individual, or someone on behalf of the individual, has paid the Covered Entity in full. The new regulations also provide that if an individual requests an electronic copy of their PHI, then a Covered Entity must provide access to that information in electronic form, if it is readily producible in that form. So a Covered Entity will have to produce PHI in an electronic format if it maintains records electronically (as it is considered readily producible in this circumstance). Further, under the Final Rule, if an individual directs a Covered Entity, in a signed writing, to electronically transmit a copy of the PHI to another person designated by that individual, then the Covered Entity must transmit the PHI electronically to that party. Additionally, HIPAA now permits a Covered Entity only one 30-day extension to respond to a request for access. Finally, the new regulations streamline individuals’ ability to authorize the use of their health information for research purposes and make it easier for parents and others to give permission to share proof of a child’s immunization with a school.
Increased Flexibility with PHI of Deceased Patients Under the Final Rule, Covered Entities are now permitted to disclose PHI to a decedent’s family members and others who were involved in the patient’s care, or payment for that care, prior to death, unless doing so would be inconsistent with any prior expressed preferences known to the Covered Entity. This is limited to disclosing PHI that is relevant to the family member or other person’s involvement in the individual’s healthcare or payment. Additionally, under the new HIPAA regulations, health information is no longer PHI after a patient has been dead for 50 years.
Civil Monetary Penalties The Final Rule retains the increased civil monetary penalties for HIPAA violations that were set forth under the HITECH Act. The new tiered penalty system currently applies to Covered Entities and under the Final Rule it will be applicable to Business Associates and their subcontractors. The penalty amounts range from $100 per violation, up to a maximum penalty of $1.5 million for violations of the same HIPAA provision in a calendar year. Penalties in the four-tiered system increase based on the level of culpability. The lowest level of penalties ($100 to $50,000 per violation) applies to situations where the Covered Entity or Business Associate did not know about the HIPAA violation. The highest penalty level, which starts at $50,000 per violation, applies when the Covered Entity or Business Associate demonstrated “willful neglect” in violating HIPAA, and it failed to correct the violation.
PENALTIES CHART
QUESTIONS