HIPAA PRIVACY AND SECURITY FOR ACADEMIC INSTITUTIONS Presented by Brian D. Gradle, Esq. Hogan & Hartson L.L.P. Washington, D.C. December 15, 2005

2 HIPAA BACKGROUND The first federal law to govern, among other things, the privacy and security of health information (Protected Health Information, or “PHI”) Key Dates: August The Health Insurance Portability and Accountability Act of 1996 becomes law April 14, HIPAA Privacy Rule compliance date April 20, HIPAA Security Rule compliance date

3 What/Who is Covered? “Covered Entities” are health plans (including group health plans), clearinghouses, and providers that engage in one of the HIPAA standard electronic transactions (e.g., claims filing)

4 Hybrids Entities that have both a covered entity and a non- covered entity function, and designate the health care components. Academic institutions frequently designate their medical center and health sciences operations in this fashion. Tip: Many hybrids will include IT Departments and personnel within the health care component. IT cannot disclose PHI to the non-health care component unless permitted under HIPAA.

5 BUSINESS ASSOCIATES “ BAs” are persons that perform functions or activities on behalf of covered entities, and receive or use PHI in the process. Examples: Consultants Attorneys Accountants IT Vendors (with access to PHI) Billing Companies Not BAs:Custodians (despite access to PHI) IT Vendors (without access to PHI)

6 BUSINESS ASSOCIATES (Continued) Required:Business Associate Agreement Tip: IT consultants working alongside employees can be treated as part of the “workforce” for purposes of HIPAA. This will require HIPAA training. Your Role: Help identify those parties that qualify as business associates. Help identify any particular privacy/security issues associated with the PHI.

7 PHI “Protected Health Information” can be electronic, paper, oral, or other form (e.g., a photograph), so long as it is individually identifiable and relates to the individual’s health, the provision of care, or the payment for care. Tip: Records subject to the Family Education Rights and Privacy Act (FERPA) are not subject to HIPAA. Interpretation of the precise scope and nature of the HIPAA/FERPA overlap may differ between institutions; your institution’s privacy officer should be able to address this for your specific situation.

8 Critical Principles and Concepts Under HIPAA Privacy 1.Permitted Uses and Disclosures of PHI A covered entity may use and disclose PHI without patient authorization: –For purposes of treatment (including providing care, consultations, and patient referrals), payment (including activities to obtain payment or be reimbursed for providing healthcare services), and healthcare operations (a broad category that includes administrative, financial, legal, and quality improvement activities). –Where required by law –For law enforcement activities –To health oversight agencies –For research, if the IRB or privacy board has waived authorization activities –Other activities set forth in Privacy Rule

9 Critical Principles and Concepts Under HIPAA Privacy (Continued) 2.Minimum Necessary Standard Even if the PHI use or disclosure is permitted, HIPAA requires CEs to take reasonable steps to limit it to the “minimum necessary” to accomplish the purpose. Exceptions: –Disclosure to providers for treatment –Disclosure to the individual –Disclosures authorized by the individual –Disclosures required by law –Disclosures to HHS for enforcement purposes and uses –Disclosures to comply with HIPAA regulations

10 Critical Principles and Concepts Under HIPAA Privacy (Continued) 3.Patient Authorization Uses and disclosures of PHI not expressly permitted by HIPAA require patient authorization. Authorizations must be “HIPAA compliant” In addition, any additional state requirements (e.g., California’s 14-point font requirement, or disease-specific authorizations) must be met. Tip:“Authorizations” you receive should be scrutinized for compliance with HIPAA, per your institution’s policies and procedures.

11 Critical Principles and Concepts Under HIPAA Privacy (Continued) 4.Notice of Privacy Practices Health plans and providers are obligated to provide their members/patients with a Notice of Privacy Practices. Notices set forth the CE’s obligations and the member/patient’s rights regarding PHI. NOTE: CEs that establish standards that exceed HIPAA requirements must comply with those enhanced standards.

12 Critical Principles and Concepts Under HIPAA Privacy (Continued) 5. De-identification HIPAA does not regulate health information that has been “de-identified.” Two Methods: 1.“Safe Harbor” method. Removal of all identifiers listed in Privacy Rule, plus no actual knowledge that the remaining information could be used to identify the individual (e.g., job title). 2.“Statistician” method. Statistician opinion that the risk is “very small” that the information could be used, alone or in combination with other reasonably available information, to identify the individual.

13 Critical Principles and Concepts Under HIPAA Privacy (Continued) 6.Limited Data Sets HIPAA permits Limited Data Sets, which contain limited amounts of PHI (dates, town, city, state, and zip code) to be used and disclosed for research, public health, or health care operations, pursuant to a written agreement.

14 Critical Principles and Concepts Under HIPAA Privacy (Continued) 7.Role-Based Access Simply because a person can access PHI does not mean he/she should access PHI. HIPAA’s role-based access principle means that persons should use/disclose PHI only in the scope/ context of their role at the organization. Tip: For IT professionals, with sometimes unrestricted access, this is a critical concept to understand and follow.

15 Critical Principles and Concepts Under HIPAA Privacy (Continued) 8.Training All members of the CE workforce must be trained on the HIPAA policies and procedures as necessary and appropriate to carry out their functions. Tip: The format and style of training (e.g., by department, in person, on-line) is up to the CE to decide.

16 Critical Principles and Concepts Under HIPAA Privacy (Continued) 9.HIPAA provides individuals with certain rights regarding their health information, including: –The Right to Request Access to their records (if not granted, CE must explain basis for decision). –The Right to Request an Amendment to their records (if not granted, individual has right to provide a statement of disagreement for the records). –The Right to Request an Accounting of Disclosures (excludes treatment, payment, healthcare ops, incidental, and others). –The Right to Request Restrictions on Disclosures for treatment, payment, healthcare ops (CE does not need to comply, but is bound if it does). –The Right to Request Communications by alternative means or alternative locations (CE to accommodate, if reasonable).

17 Unintended Consequences/ Key Challenges of HIPAA Privacy 1.Unintended Consequence: Disrupting the flow of PHI between providers for treatment. HIPAA expressly permits the flow of PHI between providers for treatment purposes, and without the “minimum necessary” requirement.

18 Unintended Consequences/ Key Challenges of HIPAA Privacy (Continued) 2. Key Challenge: Dealing with “Representatives” of Patients HIPAA defines “personal representatives” as those persons that under applicable law (usually state law) have the authority to make healthcare decisions for the patient. Adult children of elderly patients, parents of teenage patients, patient friends or companions, may not necessarily be “personal representatives” under applicable law.

19 Unintended Consequences/ Key Challenges of HIPAA Privacy (Continued) 3.Unintended Consequence: Creation of BA Agreement backlog. Many CEs continue to negotiate with BAs regarding the terms and conditions of BA Agreements, particularly “business points” (liability, indemnification, insurance).

20 Unintended Consequences/ Key Challenges of HIPAA Privacy (Continued) 4.Key Challenge: Mitigation HIPAA requires CEs to mitigate the harmful effects of an improper use/disclosure of PHI, to the extent practicable. What does this mean, particularly in terms of patient notification? Tip: Do not forget state law in this situation.

21 Unintended Consequences/ Key Challenges of HIPAA Privacy (Continued) 5.Key Challenge: Preemption Most state laws are not preempted by HIPAA, including those that are more protective of individuals than HIPAA. Frequently, states will create heightened protection for certain conditions/diseases, such as HIV/AIDS, STDs, pregnancy, genetic testing.

22 Unintended Consequences/ Key Challenges of HIPAA Privacy (Continued) 6.Key Challenge: Use/Disclosure of PHI for Research HIPAA generally requires patent authorization, or IRB/privacy board waiver, for PHI to be used/disclosed for research. Conflict between Common Rule, which permits non- study specific informed consent, and HIPAA, which requires study-specific authorizations.

23 HIPAA Security in a Nutshell “Covered entity must [e]nsure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.” HIPAA Security Rule. “A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” The “mini Security Rule” under the HIPAA Privacy Rule.

24 Security Rule The Security Rule includes 22 standards, along with 19 required implementation specifications and 20 addressable specifications under its physical, administrative, and technical safeguard categories. This includes an overall “risk analysis” that must be conducted.

25 Key Security Rule Implementation Challenges 1.Recognizing that the Security Rule’s flexible approach (measures must be “reasonable and appropriate”) means that “one size does not fit all.” Tip:Even among academic institutions with HIPAA compliance obligations, standards for compliance will vary significantly

26 Key Security Rule Implementation Challenges (Continued) 2.Building a team (IT, Compliance, Legal) that can evaluate security risks, develop and implement safeguards, and appropriately document policies, procedures, and the overall decision- making process.

27 Key Security Rule Implementation Challenges (Continued) 3.Balancing competing interests between confidentiality, integrity, and availability. Data that is “too secure” and not readily available to a provider upon request can be just as problematic as non-secure data.

28 Key Security Rule Implementation Challenges (Continued) 4.What are the expectations for business associates? The Security Rule does not prescribe the safeguards for BAs – only that they be reasonable and appropriate. Tip:IT may be asked to participate in an evaluation by the CE of a BA’s security safeguards.

29 Key Security Rule Implementation Challenges (Continued) 5.Commercial Off-the-Shelf Software in Medical Devices Medical devices that utilize COTS may be impacted by software security patches and enhancements.

30 Security Rule Implementation Myths and Misunderstandings 1.The Security Rule requires to be encrypted. The Security Rule does not require containing PHI to be encrypted. What it does require is a covered entity to address whether or not it is going to encrypt , as part of its security evaluation. Tip:This assessment is often a key role for IT.

31 Security Rule Implementation Myths and Misunderstandings (Continued) 2.You can purchase “HIPAA Compliant” software, hardware, medical devices, etc. The level of security that a CE should establish is affected by a number of factors, including the CE’s size, costs, and the probability and criticality of risks. These are unique to CEs, and software, hardware, and devices’ security features typically do not take these factors into consideration.

32 Security Rule Implementation Myths and Misunderstandings (Continued) 3.The government has authorized certain vendors to deem parties as “HIPAA compliant.” While the use of outside consultants and vendors can be useful, no outside party has been vested with the authority to deem a CE as HIPAA compliant.

33 HIPAA Enforcement and Penalties HHS Office for Civil Rights: Privacy Rule (civil) HHS Office of E-Health Standards and Services: Security Rule (civil) DOJ for criminal enforcement (over 200 cases under review) Penalties: For Covered Entities: $100 per violation, up to $25,000/year for multiple violations of same standard (civil penalties). Criminal penalties go up to $250,000 fine, 10 years in jail for wrongful receipt or disclosure of PHI with intent to use for commercial advantage, personal gain, or malicious harm. For Any Person: June 2005 DOJ memorandum stated that any person could be prosecuted for aiding and betting or conspiring to commit a HIPAA violation.

34 HIPAA Enforcement and Penalties (Continued) Finally, enforcement is essentially complaint-driven at this time. Privacy: Since April 2003, 15,000 complaints Security: Since April 2005, 20 complaints Criminal Prosecution: U.S. v. Gibson, resulted in $9,000 fine and 16-month jail sentence for healthcare worker that used cancer patient records to obtain credit cards.