March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton

2 Overview American Recovery and Reinvestment Act (“ARRA”) Stricter privacy and security obligations under HIPAA: Direct application to “business associates” Breach notification requirements for unsecured PHI Enhanced enforcement and penalties Other changes to facilitate wider use of electronic health records Additional restrictions on sale, marketing of PHI

3 Overview – Refresher “Protected health information” (PHI): individually identifiable information, in any form, about health or condition, treatment or payment, that is created or received by provider, health plan (including insurance issuer or agent), employer, or clearinghouse. “Covered entity”: a health care provider, health insurance plan, or health care clearinghouse. “Business associate”: entities that receive or are exposed to PHI in the course of providing services to or on behalf of covered entities.

4 Overview – Refresher HIPAA Privacy Requirements for Covered Entities:  Notice  Opt-in  Access  Administrative (Obligations of business associates effectively the same) HIPAA Security Safeguards re Electronic PHI for Covered Entities:  Administrative (e.g., measures to prevent, detect, security violations)  Physical (e.g., limit workstation and facility access)  Technical (e.g., access control and audit) (Obligations of business associates effectively the same)

5 New Privacy & Security Obligations Obligations are now the same for “business associates” as for “covered entities” under the law No longer just a matter of contractual obligation to covered entity for whom business associate works Means enhanced enforcement and penalties under the statute will apply to business associates, in addition to any contractual penalties for failure to comply with privacy and security obligations BUT, mechanics of day-to-day compliance should not change unless need to adopt HHS-identified best practices

6 New Privacy & Security Obligations Breach Notification Requirement –  Applies only to “unsecured” PHI  “unsecured” = not protected by methods HHS will identify in guidance to be published April 18, 2009  Goes into effect September 15, 2009  Only exceptions: inadvertent internal access, or inadvertent disclosure by one authorized employee to a fellow employee at the same facility

7 New Privacy & Security Obligations Breach Notification Requirement – Business Associates: Notify Covered Entity of Breach Identify each individual whose information was, or reasonably may have been, disclosed in the breach

8 New Privacy & Security Obligations Breach Notification Requirement – Covered Entities: Notify each individual whose information was, or reasonably may have been, disclosed in the breach Notify upon discovery of the breach

9 New Privacy & Security Obligations Breach Notification Requirement – Covered Entities -- Notice Specifics: Timing: ASAP, but no more than 60 days after breach discovered Method: generally written, via mail; substitute notice via publication possible for those with outdated/no contact info Content: provide brief description of what happened including date of breach, date of discovery, types of PHI disclosed, steps individuals should take to protect themselves, what’s being done to investigate breach, contact info for further questions HHS & Media notice: if more than 500 individuals in an area are affected. If fewer than 500 affected, must be logged and sent to HHS annually; logs will be publicly posted by HHS

10 New Privacy & Security Obligations Breach Notification Requirement – Personal Health Record (“PHR”) Vendors: -- Same breach notification requirements apply; includes entities offering products and services through a PHR vendor’s website and those who access and receive information from a PHR -- PHR Vendors are now subject to regulation by Federal Trade Commission regarding HIPAA compliance

11 New Privacy & Security Obligations Breach Notification Requirement – HHS will publish detailed rules on notification process for covered entities and business associates FTC will publish detailed rules on notification process for PHR vendors Both sets of rules to be published by August 16, 2009

12 New Privacy & Security Obligations Breach Notification Requirement – SAFE HARBOR Adopt HHS-identified best practices

13 Enhanced Enforcement & Penalties Broader Enforcement Mechanisms: State Attorneys General may initiate civil enforcement in federal court if HHS or DOJ do not prosecute -- Injunctions -- Fines up to $25,000 for all violations of an identical requirement or prohibition per calendar year -- Attorneys fees & costs HHS OCR can investigate and fine for alleged criminal violations even if DOJ does not prosecute Individuals may now be criminally liable, not just covered entities HHS must conduct regular audits

14 Enhanced Enforcement & Penalties Increased Penalties: Unknowing violation: --$100-$50,000 per; max = $25,000-$1.5 million “Reasonable cause” but not “willful neglect”: -- $1,000-$50,000 per; max = $100,000-$1.5 million; no fine if corrected within 30 days of discovery “Willful neglect”: -- Corrected within 30 days: $10,000-$50,000 per; max = $250,000-$1.5 million -- Not corrected: at least $50,000 per; max at least $1.5 million

15 Changes Concerning Electronic PHI Existing right of access amended to include right to access any electronic PHI OK to charge reasonable, cost-based fee Existing right to an accounting of disclosures amended to include accounting for electronic PHI disclosures -- Runs for 3 years, prospectively -- Obligation starts sooner (January 1, 2011) for those who have not yet adopted electronic capability Only disclose “limited data set” unless an exception applies HHS will publish rules with more specifics

16 Other Noteworthy Changes Health care providers can be barred from disclosing PHI concerning items for which individual paid out-of-pocket in full Be aware that insurers may not receive all information about health conditions/risks

17 Other Noteworthy Changes Unauthorized sale of PHI prohibited -- Exceptions for research, public health purposes; payments limited Marketing limitations (effective February 17, 2010): -- Marketing in context of “health care operations” limited to communications regarding health-care related product or service -- No payments from third parties to do marketing unless merely describing a health care item or service previously prescribed or administered to recipient -- All other marketing involving PHI requires individual’s authorization

18 Resources: HHS website on HIPAA: (has general information) Contact CIAB – check for more information or contact Joel Kopperud with

19 Please Note: These slides are intended to provide only a general overview of selected issues related to the new HIPAA privacy and security requirements. They do not provide a complete analysis. The information provided is for general use only and is not intended to provide specific advice or recommendations, legal or otherwise, for any individual or organization. The information provided herein is not intended to be and should not be construed as a legal opinion or advice. You need to consult with your own attorney or other adviser relating to your specific circumstances or those of any organization that you advise. If you have any questions about these slides, feel free to contact Joel Kopperud with the CIAB at (202)

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton