HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP
Overview Enhanced HIPAA Patient Rights Business Associates Transaction and Code Sets Transaction and Code Sets HITECH Enforcement Audits Breach Log 2
Patient Rights 3
Rules and Regulations HIPAA Privacy and Security Rule HITECH February 17, 2009 Proposed Rule July 14, 2010
Proposed RuleJuly 14, 2010 Extends the HIPAA Applicability to Business Associates Establishes new limitations on the use and disclosure of PHI for marketing and fundraising purposes, Prohibits the sale of PHI Expands Patient Rights Strengthens and expands HIPAA’s enforcement provisions.
Enhanced Restrictions on Disclosures PHI Disclosures (Section 13405(a)) HITECH Act requires CEs to comply with a patient’s request not to use or disclose PHI if the disclosure Would be to a health plan for carrying out payment or health care operations (not for treatment); and PHI “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.” 6
Minimum Necessary Limited Data Set and Minimum Necessary HITECH Act (Section 13405(b)) requires CEs to limit PHI disclosures “to the extent practicable” to the “limited data set” as defined under HIPAA, or, if more information is “needed,” to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request, respectively”. 7
Minimum Necessary Secretary guidance on what constitutes “minimum necessary” will be issued in next 18 months All the current exceptions to the existing minimum necessary disclosure standard, including disclosures made for treatment purposes and disclosure required by law are retained This is not applicable to de-identified PHI 8
Accounting to Patients Accounting for PHI Disclosures (Section 13405(c)) Covered Entities are required by HITECH to account for disclosures of PHI to carry out treatment, payment and health care operations. Disclosures must be accounted for during the three years prior to the request if an EHR was used 9
Proposed Rule May 31, 2011 DHHS issued a proposed Rule to provide guidance on implementation of HITECH changes related to accounting Comments were received until August 1, 2011
Proposed Rule HHS expects to review comments and publish the Accounting of Disclosures Final Rule by the end of 2011, which means that compliance with the accounting of disclosures requirement would begin sometime during the summer of 2012 As of today’s date, the Rule has not been Finalized
Accounting to Patients Effective Date The accounting requirement effective date depends on when the CE received the EHR For EHR received as of January 1, 2009, these accounting rules apply to PHI disclosures starting January 1, 2014 Proposed rule has effective Date of January 1,
Sale of PHI Prohibitions Sale of PHI Prohibitions Receiving remuneration in exchange for any PHI of an individual is prohibited without obtaining a specific authorization from the individual (Section 13405(d)) Additional regulations will be issue within 18 months after February 17, 2009 Effective for exchanges of PHI occurring 6 months after the date of promulgation of the final regulations 13
Sale of PHI Prohibitions Seven exceptions to Sale of PHI Prohibitions. The sale prohibitions does not apply to: Public Health activities as defined under HIPAA Research, up to the costs of preparation and transmittal of PHI; Treatment of the individual Sale, transfer, merger or consolidation of all or part of the Covered Entity and due diligence related 14
Sale of PHI Prohibitions A Business Associate’s duties to a Covered Entity under a business associate agreement Delivering a copy of the individual’s PHI pursuant to HIPAA section and Other PHI exchanges that the Secretary deems similarly “appropriate and necessary” as exceptions in the new regulations
Right of Access Right of Access to PHI in EHR (Section 13405(e)) If a CE “maintains an electronic health record with respect to” the CE must produce a copy of that PHI in electronic format upon request of a patient transmit the copy directly to an entity or person designated by the individual But only if the patient’s request is “clear, conspicuous, and specific” (45 CFR the Access of Individuals to PHI) Charges cannot exceed the labor costs in responding to the request 16
September 14, 2011 Proposed Rule to permit Individuals Access to Directly receive lab results from Laboratory Comments received through November 14, 2011
Restrictions on Marketing Communications Restrictions on communications of CE and BA marketing to potential buyers or users (Section 13406) Any communication that encourages the recipient to purchase or use a product or service is not considered a health care operation unless it is made: 18
Restrictions on Marketing Communications to describe a product or service (or payment therefore) that is provided by, or included in a plan of benefits of, the Covered Entity making the communication, including communications about: “the entities participating in a health care provider network or health plan network health plan replacements or enhancements and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits”
Restrictions on Marketing Communications Further exceptions: treatment of the individual; or case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual 20
Restrictions on Marketing Communications The exceptions above will not be considered health care operations if the CE receives “direct or indirect payment” in exchange for making such communications, unless: payment is for a communication regarding a drug currently prescribed for the recipient of the communication and such payment is “reasonable in amount” 21
Restrictions on Marketing Communications the communication is made by the CE after obtaining a valid authorization in accordance with HIPAA section or the communication is made by a BA of a CE, on behalf of such CE, and such communication is consistent with the applicable Business Associate Agreement
Fundraising Restrictions A written communication for fundraising that is a healthcare operation under HIPAA section must allow “in a clear and conspicuous manner” the recipient to opt out to receive any communications opting out, is to be treated as a revocation of authorization under section Restrictions on marketing and fundraising communications will apply after February 17,
Business Associate Contracts Required for Certain Entities More vendors to covered entities or business associates will now be deemed to be business associates each organization that provides data transmission of protected health information and that requires access on a routine basis to such protected health information, such as Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record 24
Business Associates 25
Expanded Business Associates Each organization “that provides data transmission of Protected Health Information to such entity or its Business Associate and that requires access on a routine basis to such Protected Health Information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing, Gateway, or each vendor that contracts with a Covered Entity to allow that Covered Entity to offer a personal health record to patients as part of its electronic health record and it is required to enter into a Business Associate Agreement.”
Business Associates Must comply with certain HIPAA security standards Administrative safeguards Technical safeguards Physical safeguards As a matter of law, must comply with privacy duties established by BA contract, including new duties established by HITECH Covered entities will need to incorporate HITECH provisions into BA contracts HHS will issue annual guidance on these and other HIPAA security standards
Business Associates are now directly subject to specific requirements Penalties directly apply to Business Associates Increased Penalties Enhanced Enforcement Activities Increased Application and Enforcement 28
Application of Privacy Provisions and Penalties to BA Proposed that Business Associate is responsible for subcontractors Proposed Rule expands definition of Business Associate Direct Enforcement 29
Enforcement Activities
Criminal Penalties Covered Entities should be aware of the additional Penalties and the Enforcement Activities: Enhanced Criminal Penalties Willful neglect standard 31
Penalty Tiered Increase Minimal levels of Penalties based on Intent: $100 - $25,000 -Person did not know and would not have known $1,000 - $100,000- Reasonable cause and not willful neglect $10,000 - $250,000 Willful Neglect $50,000 -$1,500,000 Willful neglect and not corrected 32
State Attorney General Permits civil actions on behalf of patients May enjoin the actions; and Obtain damages not to exceed $25,000 annually Attorneys fees may be recovered by State Each State Attorney General has been Trained on HIPAA 33
Future Enforcement Tools Additional funding for Enforcement Activities In 3 years, the “individual harmed” may receive a % of the CMP collected from the offense
Audit Program Federal Government Granted two Contracts related to Auditing and Enforcement Booze Allen KPMG
Audit Program November – December 2011 Pilot Program 150 audits 20 initial audits Covered Entities Initially Program will Expand to Business Associates
OCR Enforcement Results HHS / OCR has investigated and resolved over 15,176 cases by requiring changes in privacy practices and other corrective actions by the covered entities 7,894 cases, OCR found no violation had occurred
OCR Enforcement Activities 514 complaints alleging a violation of the Security Rule. 323 complaints closed after investigation and appropriate corrective action. As of December 31, 2011, OCR had 266 open complaints and compliance reviews
HITECH Penalties $4.3 Million Fine Cignet $1.0 Million Fine Mass General $865,500 Fine UCLA
Notification 40
Security provisions of HIPAA now apply to a Business Associate of a Covered Entity in the same manner that such sections apply to the Covered Entity. Business associates subject to same penalties as Covered Entities Also applies to vendors of personal health records Security and Notice Requirements 41
Security and Notice Requirements Applies to any Covered Entity or BA/vendor that: Accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured protected health information Applies directly to vendors, regardless of whether a business associated agreement is executed 42
Security and Notice Requirements Unsecured Protected Health Information means (Section 13402(h)) protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under this section 43
Security and Notice Requirements Obligation to notify triggers upon discovery of a breach Discovery determined to be the first day on which such breach is known or should reasonably have been known to such entity or associate to have occurred Knowledge by any person that is an employee, officer or other agent of the entity or associate 44
Security and Notice Requirements Notice to Individual must include: Identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during such breach Brief description of what happened, including the date of the breach and the date of discovery of the breach Description of the types of unsecured protected health information that were involved 45
Security and Notice Requirements Steps the individual should take to protect themselves from potential harm resulting from the breach Description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches Contact procedures for individuals to ask question or learn additional information
Security and Notice Requirements Notice to the Secretary by Covered Entities: For breaches impacting 500 or more individuals, notify the Secretary immediately For breaches impacting fewer than 500 individuals, maintain a log and notify the Secretary annually submit such log 47
Security and Notice Requirements Notice Process Notice Timing: Notice must be made without unreasonable delay and in no case later than 60 calendar days after discovery of a breach Delay allowed if a law enforcement official determines that a notification, notice or posting would impede a criminal investigation or cause damage to national security Methods of Notice: Written notification by first class mail to individual Substitute notice process for insufficient or out of date contact information Media notice information for 500 individuals or more 48
“Safe Harbor” Safe Harbor from Notification Requirement is to ensure the data is maintained in a “secure” manner. June Requested comments on the proposed form of “secure” data. Encryption De-Identification 49
Georgia Breaches The Neurological Institute of Savannah & Center of Spine July 2, ,425 Theft University Hospital May 7, ,000 records Loss
HIPAA Transactions HIPAA 5010 Update from HIPAA 4010 January 1, 2012 Delayed Enforcement by 3 Months
HIPAA Transaction Code Sets HIPAA EFT Transaction Remittance Advice Transaction Proposed Rule January 12, 2012
Thank you Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP This presentation is provided as a general informational service to clients and friends of Morris, Manning & Martin LLP. It should not be construed as, and does not constitute, legal advice on any specific matter, nor does this message create an attorney-client relationship. These materials may be considered Attorney Advertising in some states. Please note, prior results discussed in the material do not guarantee similar outcomes. 53