April 19, 2013Karen Smith Claire Turcotte © Bricker & Eckler LLP 2013 1 6189374v3.

Analysis of the HIPAA Omnibus (Final) Rule

April 19, 2013 Karen SmithClaire Turcotte

© Bricker & Eckler LLP 20131 6189374v3

© Bricker & Eckler LLP 20132

Introduction

Omnibus Rule Provisions for Discussion

Revisions to the Breach Notification Rule

Changes to Marketing, Fundraising, and Sale of PHI

Required Changes to the Content of the Notice of Privacy Practices

Enforcement

Business Associates and BA Agreements

Individual Access to PHI – Electronic Copies

Restrictions on the Disclosure of PHI to Payors

Additional Changes: PHI of Deceased Individuals, Disclosure of Immunization Records to Schools, GINA

Conclusion

Introduction


Final HIPAA omnibus rule (“Omnibus Rule” or “Final Rule”) released January 17, 2013, and published January 25, 2013 (78 Fed. Reg. 5566)

Omnibus Rule implements regulations regarding numerous aspects of the HITECH Act

Effective March 26, 2013. Compliance date for CEs and BAs is September 23, 2013, for everything (except grandfathered BAs)

Note: abbreviations CE, PHI, BA, used in slides for efficiency, including in quotes from Omnibus Rule

Introduction

Revisions to Breach Notification Rule

Karen Smith



Definition of Breach

“Breach means the acquisition, access, use, or disclosure of PHI in a manner not

permitted under subpart E of this part which compromises the security or privacy

of the PHI”

“Except as provided in paragraph (1) of this definition, an acquisition, access,

use, or disclosure of PHI in a manner not permitted under subpart E is presumed

to be a breach unless the CE or BA, as applicable, demonstrates that there is a

low probability that the PHI has been compromised based on a risk assessment

of at least the following factors: … [see slide 6]”

Changes Removal of Risk of Harm

Presumption of Breach

Changes to Breach Notification


Four Objective Factors Nature and extent of the PHI involved

Unauthorized person who used the PHI or to whom the disclosure was made

Whether the PHI was actually acquired or viewed

Extent to which the risk to the PHI has been mitigated

Objective Risk Factors


The Final Rule adopted the three exceptions found in the Interim Final Rule without modification Unintentional acquisition, access or use of PHI

Inadvertent disclosure of PHI

Unauthorized disclosure without the ability to retain the information

Exceptions


The Final Rule adopts all of the notification requirements with a minor change

Covered entities are now required to notify HHS of all breaches affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were discovered

Notifications


The Final Rule requires a covered entity to perform a breach assessment if a limited data set is used or disclosed in an impermissible manner even if the limited data set excludes zip codes and birth dates

Limited Data Sets


All covered entities must comply with the new breach notification requirements by September 23, 2013 Update policies & procedures for reporting, analyzing

and documenting a possible breach

Train workforce members regarding revised policies & procedures

Compliance

Marketing, Fundraising, and the Sale of PHI

Claire Turcotte



“Marketing” means: “To make a communication about a product or service that encourages recipients to purchase or use the product or service”

Final Rule requires authorization for all treatment and health care operations communications where the CE receives “financial remuneration” for making the communications from a third party whose products or services are being

The authorization must state that “financial remuneration is involved (note: “financial remuneration” does not include in-kind or non-financial benefits)

Marketing After Omnibus Rule


Exceptions from “marketing” include: If “financial remuneration” is reasonably related to the CE’s

cost of making the communication:

• Communications for refill reminders or about drugs or biologics currently prescribed for the individual and generic equivalents

• Communications reminding patients to adhere to instructions about their currently prescribed medications

• Communications about drug delivery systems when an individual is prescribed a self-administered drug or biologic

• Costs of labor, supplies and postage to make the communication are “reasonably related” (e.g., drug manufacturer can cover these costs)



Exceptions from “marketing” (cont’d):

If the CE receives no “financial remuneration”:

• Communications about the CE’s own health-related products and services

• Case management or care coordination communications regarding alternative treatments, therapies, health care providers, or settings of care



Face-to-face communications (even if CE receives “financial remuneration”); telephone is not face-to-face

Promotional gifts of nominal value

Communications promoting health in general that do not promote a product or service from a particular provider (e.g., promoting a healthy diet)

Communications about government and government-sponsored programs

Communications that do not involve PHI (e.g., CE uses a purchased mailing list not derived from PHI)

Other Omnibus RuleExceptions to “Marketing”


The CE can use certain limited PHI for purposes of raising funds for its own benefit

PHI limited to demographic information relating to an individual and date of health care provided to an individual

Concern that limited set of permitted PHI restricts a CE’s ability to target fundraising communications

Particular concern about ability to avoid inappropriate communications to patients who may have had bad outcomes

Fundraising Before Omnibus Rule


Expanded categories of PHI that can be used for fundraising without authorization

If a CE meets specified conditions, it can use or disclose PHI to a BA or an institutionally-related foundation for fundraising without patient authorization including: Demographic information (name, address, contact information,

age, gender, DOB) Department of service (e.g., cardiology) Treating physician Outcome information (including death or sub-optimal outcome) Health insurance status

Fundraising After Omnibus Rule


To use or disclose PHI for fundraising, the CE must:

Include in its NPP a statement that the CE may contact the individual for fundraising and the individual has a right to opt-out

If an individual does opt-out, their choice must be treated as a revocation of authorization, which then prohibits the CE from sending further fundraising communications

In each fundraising communication, provide a clear and conspicuous opportunity for the individual to opt-out of fundraising communications

Fundraising Conditions CEs Must Meet


Ensure that the method to opt-out of fundraising communications cannot cause the individual to incur an undue burden or more than a nominal cost

Not condition treatment or payment on the individual’s choice with respect to receipt of fundraising communications

Not make fundraising communications to an individual who has elected not to receive fundraising communications

Fundraising Conditions CEs Must Meet


CEs may provide individuals with a method to opt back in. CEs can choose method to opt-out; suggestions include:

Toll-Free Numbers E-mail address Requiring return of preprinted postcard (not an “undue burden”) But not requiring a written letter (is an “undue burden”)

Size of population to whom sending communications and geographic distribution and other similar factors should be considered in choosing an appropriate opt-out method

Making a donation after having opted out is not an appropriate opt-in method; individual must make a separate election to opt-in

Methods to Opt-Out and Back In


Covered Entities have discretion to determine the scope of the opt-out

If a Covered Entity can track campaign-specific opt-outs, it can use a campaign-specific opt-out

Covered Entities can permit individuals to elect whether to opt-out of all fundraising communications, or only for specific campaign(s)

Generally, communication must clearly inform the individual of their options

Scope of Opt-Out


No direct or indirect receipt of remuneration in exchange for receiving PHI, except if pursuant to patient authorization meeting specified requirements

Sale includes access, license, lease or transfer of ownership of PHI

Remuneration includes both financial and in-kind (unlike “marketing”)

Post-Omnibus Rule Sale of PHI


Public health purposes

Research purposes where only remuneration is a reasonable cost-based fee to cover the costs of preparation and transmittal of data

Treatment and payment purposes

Sale, transfer, merger or consolidation of all or part of the Covered Entity (or related due diligence)

Services of a business associate (or subcontractor) at the request of the Covered Entity and only payment is for such services

Exceptions to Prohibitionon Sale of PHI


Providing an individual with access to his/her own PHI

When required by law

Other purposes permitted by the Privacy Rule, where remuneration received is a reasonable cost-based fee to cover the costs of preparation and transmittal or a fee otherwise expressly permitted by law (e.g., disclosure of limited data sets for permitted purposes)

Exceptions to the Prohibitionon Sale of PHI (cont’d)

Notice of Privacy Practices

Claire Turcotte



Additions to the NPP

Statement that the following uses and disclosures will be made only with patient authorization:

• Uses and disclosures for marketing purposes

• Uses and disclosures for the sale of PHI

• Most uses and disclosures of psychotherapy notes

• Other uses and disclosures not described in the NPP

Right to a notice in the event of breach

Right to opt-out of fundraising communications



Additions to the NPP – Providers Only

Right to restrict disclosures of PHI to health plans if an individual has paid for services out-of-pocket, in full, and the individual requests that the provider not disclose PHI related solely to those services



Additions to the NPP – Health Plans Only

Statement that the health plan is prohibited from using or disclosing genetic information for underwriting purposes

Exception for certain issuers of long-term care policies



Deletion from the NPP

Statement that the CE may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits or services

• HHS notes that CEs may choose to leave this in the NPP



Posting and Distribution of Revised NPP

HHS deems this to be a material revision of the NPP

All CEs must revise their NPP by September 23, 2013

Providers must make the revised NPP available to existing patients upon request, post the revised NPP to their websites (if applicable), and post the revised NPP in a prominent location on the premises

New patients who receive services after modification of the NPP must be provided with a copy of the revised NPP

Health Plans must either distribute the revised NPP within 60 days of the change (if they do not post the NPP to a website) or post the NPP to their website and notify all members of the changes in the next annual mailing


Enforcement Rule

Karen Smith



Determination of Civil Monetary Penalties (CMPs) Retains proposed rule’s CMP structure for violations

based on tiered levels of culpability

Enforcement

Violation Category

Penalty for Each Violation

Maximum for All Violations of an Identical Provision in a Calendar Year

Did Not Know $100-$50,000 $1,500,000

Reasonable Cause $1,000-$50,000 $1,500,000

Willful Neglect - Corrected

$10,000-$50,000 $1,500,000

Willful Neglect – Not Corrected

$50,000 $1,500,000


Determination of Civil Monetary Penalties (CMPs) HHS will not impose maximum penalty in all cases

CMPs will be calculated on a case-by-case basis depending on these factors:

• Nature and extent of violation

• Nature and extent of resulting harm

• History of non-compliance of the entity

HHS will consider prior non-compliance even if there was no formal finding of a violation

• Financial condition of the entity

Enforcement


Affirmative Defenses Prohibits imposition of penalties for any violation that is

corrected within 30 days, as long as the violation was not due to willful neglect

Removes affirmative defense that covered entity did not know and with exercise of reasonable diligence could not have known of a violation (Now Tier 1 violation)

CMP may not be imposed if a criminal penalty has already been imposed for the violation

Enforcement


Investigations HHS no longer has discretion as to whether to initiate an

investigation when its preliminary review indicates there may be a violation due to willful neglect

HHS retains sole discretion to decide whether to initiate an investigation or compliance review when its preliminary review indicates there may be a violation and the degree of culpability was less than willful neglect

HHS is no longer required to try to resolve violations by informal means

Enforcement


Liability for Business Associate “Agents” Adopts proposal to make covered entities and business

associates liable for their business associates who are their agents under federal agency law

Whether a business associate is considered an agent of the CE will be a fact-specific determination

Labels used by the parties (e.g., “independent contractor”) will not control whether an agency relationship exists

Business associate may be an agent even when acting in violation of a business associate agreement, if acting for the benefit of the covered entity

Enforcement

Business Associates and BA Agreements

Claire Turcotte

37 © Bricker & Eckler LLP


HITECH introduced radical changes: BAs directly subject to certain security standards and

the privacy requirements set forth in HITECH administrative safeguards 45 CFR 164.308 physical safeguards 45 CFR 164.310 technical safeguards 45 CFR 164.312 policies, procedures and documentation requirements 45 CFR

164.316

BAs subject to requirements under Notice of Breach rules

BAs subject to civil and criminal penalties same as CEs

Business Associates


Adopts HITECH changes and also makes new changes for BAs:

Makes additional Security Rules applicable to Bas

Applies minimum necessary rule to BAs

Expands definition of “Business Associate” to include subcontractors of BAs

Clarifies definition of BAs to include Patient Safety Organizations, Health Information Exchanges, Personal Health Records (or entities offering such services on behalf of a CE)

Makes CEs liable for violations of BAs that are acting as agents of the CEs

Business Associates


Omnibus Rule revisions to specify BA’s permitted and required uses and disclosures of PHI

BAs not subject to all Privacy Rule requirements. BA not required to comply with Notice of Privacy Practices requirement, for example

But Omnibus Rule revised Privacy Rule to require BAs to comply with general rule on use/disclosure of PHI

BAs can use or disclose PHI per the BA contract or as permitted by the Privacy and Security Rule

Privacy Rule


HHS commentary: “BAs are directly liable under the HIPAA Rules for impermissible uses

and disclosures, for a failure to provide breach notification to the covered entity, for a failure to provide access to a copy of electronic PHI to either the CE, the individual, or the individual’s designee (whichever is specified in the BAA), for a failure to disclose PHI where required by the Secretary to investigate or determine the BA’s compliance with the HIPAA Rules, for a failure to provide an accounting of disclosures, and for a failure to comply with the requirements of the Security Rule. BAs remain contractually liable for other requirements of the BAA…”

BA “becomes” a BA by definition, not by the act of signing a BAA. BA liable under HIPAA upon acting as a BA; not contingent on executed BAA

Direct Liability


Omnibus Rule expressly makes applicable to BAs: “Minimum necessary applies. When using or disclosing protected

health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Note: applies to BAs using or disclosing PHI and disclosures by CEs to BAs and requests from BAs to CEs. CEs should not disclose more PHI than necessary to BAs; having BAA does not allow unlimited exchange of PHI

Minimum Necessary Rule


Omnibus Rule makes following additional provisions of the Security Rule applicable to BAs: 45 CFR 164.306: Security Standards

“(a) General requirements. Covered entities and business associates must do the following:

• Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits

• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information

• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part

• Ensure compliance with this subpart by its workforce”

45 CFR 164.314: Organizational Requirements

Business Associate contract requirements

Security Rule


Omnibus Rule adds language to the definition of “Business Associate” to clarify that Patient Safety Organizations, Health Information Exchanges, and Personal Health Records, (or entities offering these services) are BAs

45 CFR 160.103:

“(1) [Business associate means] a person who (i) On behalf of [the CE] creates, receives, maintains, or transmits [PHI] for … patient safety activities listed at 42 CFR 3.20 …

(3) [Business associate includes: (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to [PHI] to a [CE] and that requires access on a routine basis to such [PHI]. (ii) A person that offers a personal health record to one or more individuals on behalf of a [CE] …”

PSOs, HIEs, PHRs


Omnibus Rule expands the definition of “Business Associate” to include subcontractors of BAs who create, receive, maintain or transmit PHI from the BA

Subcontractors are persons to whom a BA has delegated a function, activity, or service the BA has agreed to perform for a CE or BA and where that function, activity, or service involves the creation, receipt, maintenance, or transmission of PHI

Can have multiple downstream subcontractors

BA must have a BA Agreement with each subcontractor, and subcontractors must have BA Agreements with its subcontractor BAs

Subcontractors


Subcontractors BA Agreements: Not required for CE to have BAA with subcontractors

of the CE’s BAs

BAA between BA and subcontractor may not permit subcontractor to use/disclose PHI in manner not permitted by the BA. Each BAA in a chain, from CE to BA to subcontractors, must be as stringent or more than the last

Compliance date for having these in place is September 23, 2013; subject to extension for grandfathered agreements, see slide 21

Subcontractors


You will need to revise your BAAs because: Additional provisions of Security Rules are now applicable to BAs

Minimum necessary rule now applicable to BAs

Definition of “breach” has changed. If the BAA defines breach or outlines assessment of what is a breach, this is not likely to comply with Omnibus Rule requirements

While old BAAs usually said “BA must ensure subcontractor agrees to the same restrictions,” you will want to make clear that this means BA must enter into a BAA with subcontractors

Consider adding indemnification of CE by BA for BA and its subcontractors’ compliance with Privacy and Security Rule requirements

Revisions to BA Agreements


Compliance date: September 23, 2013

Extended compliance date for grandfathered BAAs: September 23, 2014

If the BAA was in place before January 25, 2013, and complied with the then-current rules, and it is not renewed or modified on or after March 26, 2013

Applies to agreements between BAs and subcontractors, but note must have had written agreement that complied with 45 CFR 164.314(a) and 45 CFR 164.504(e)

Revisions to BA Agreements

Access to PHI: Right to an Electronic Copy

Claire Turcotte



Individuals may request and CEs must now provide an individual with a copy of their PHI that is maintained by the CE as electronic PHI in a designated record set, in the electronic form and format requested by the individual if such format is readily producible

If the requested format is not readily producible, the CE must offer to produce the electronic PHI in at least one readable electronic format

If the individual declines all available electronic formats, provide a hard copy

Individual Access to PHI – New Requirements


CEs do not need to purchase new software or hardware to accommodate requests for various types of formats; however, they must be able to provide some form of readable electronic copy

For CEs with medical records in mixed media (i.e., some paper and some electronic PHI), the CE may provide a combination of electronic and hard copies to the individual

Records maintained in hard copy do not need to be scanned

Access – Clarifications


A CE is not required to use an individual’s flash drive or other device to transfer the electronic PHI if the CE has security concerns regarding the external portable media

If an individual requests to receive the electronic copy via unencrypted email and secure email is unavailable, the CE may decide whether or not to send the electronic copy via unencrypted email

However, if unencrypted email is used, the CE must advise the individual of the risk that the information could be read by a third party

Access – Clarifications


If requested by an individual, a CE must transmit the electronic copy directly to another person designated by the individual

HHS clarified that CEs may rely on information provided by the individual regarding the third-party recipient, but they must implement policies and procedures to verify the identity of any person requesting PHI and implement reasonable safeguards to protect the information disclosed

Access – Third Parties


CEs may charge reasonable cost-based fees to individuals for providing access to PHI, including providing a copy in electronic format, including labor costs,

supplies for creating electronic media (e.g., discs, flash drives) if the individual requests the copy on portable media, and

postage

BA system maintenance, storage cost, new terminology, retrieval fees not permitted

Access – Fees


Under the state law preemption provisions of HIPAA, a state law imposing lower costs limits would apply. Conversely, if state law permits higher costs, then the lower HIPAA limits would apply

Access – Fees and Preemption


The Final Rule decreases the total time CEs have to respond to requests for access from 90 to 60 days (by removing the provision allowing an additional 30 days if PHI is not maintained on-site)

CEs may provide the individual written notice of a one-time extension of up to 30 days, including the reason for the delay and the expected date of completion

Access – Timing

Restrictions on Disclosure to PayorsAdditional Issues: Deceased

Individuals, Immunization Records, GINA

Karen Smith



The general rule is that a CE is not required to accept restrictions on the use and disclosure of PHI

Final Rule created an exception, and requires a CE to agree to a restriction if:

the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and

the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the CE in full

Restrictions


CEs are not required to create separate medical records or otherwise segregate PHI subject to a restriction

CEs will need to flag restricted PHI or make a notation in the record that the PHI has been restricted

CEs are not required to abide by a restriction if an individual’s payment is dishonored, but they must make a reasonable effort to contact the individual and obtain payment prior to billing a health plan

Restrictions


The Final Rule limits the time period that PHI of deceased individuals must be protected to 50 years

This is not a record retention requirement

A covered entity may disclose a deceased individual's PHI to family members and others who were involved in the care or payment for care of the individual prior to death, unless the disclosure is inconsistent with any prior expressed preference of the individual

Deceased Individuals


The Final Rule permits a CE to disclose proof of immunization to a school if the school is required by law to have such information prior to admitting the student

Written authorization will no longer be required

CEs are required to obtain written or oral agreement from a parent or guardian and document the agreement

A signature is not required

An email from the parent, or a notation of a phone call in the child’s medical record or elsewhere would suffice as documentation

Immunization Records


Adopts the definition of “genetic information” from Genetic Information Nondiscrimination Act of 2008 (GINA), which includes:

The individual’s genetic tests Genetic tests of family members Family medical history

Clarifies that tests such as HIV tests, blood counts, cholesterol or liver function tests, or tests to detect the presence of alcohol or drugs, are not genetic information

Defines genetic information to include information about a fetus or embryo

Specifically excludes age and sex from the definition of genetic information

Genetic Information


Prohibits the use of genetic information for underwriting

“Underwriting,” includes the following: the determination of eligibility and enrollment

premium or contribution amounts, including reduced cost sharing amounts or rewards under a wellness program

the application of any pre-existing condition exclusion

other activities related to the creation, renewal or replacement of a contract of health benefits

The use of genetic information is permitted when an individual is seeking a particular benefit and the genetic information is needed to determine the medical appropriateness of providing the benefit

Genetic Information


The prohibition on using genetic information for underwriting under GINA is expanded to include all entities included in the definition of “health plan,” except for long term care plans e.g. Medicare, Medicaid, high risk pools, excepted benefits

such as dental and vision

The prohibition does not apply to providers

The prohibition applies to all genetic information from the compliance date of the Final Rule forward, regardless of when or where the genetic information originated

Genetic Information


Compliance Date

CEs must be in compliance with the Final Rule by September 23, 2013 (with exception of grandfathered BA Agreements)

This means your policies and procedures, BA Agreements and NPPs must be revised by September 23, 2013

Conclusion


Resources

HIPAA Regulations: www.bricker.com/hipaa

eAlerts: www.incomplianceconsulting.com/services/hipaa-alerts

On-line Compliance Program:www.bricker.com/hipaa

www.incomplianceconsulting.com/services/hipaa-consulting-services

Conclusion


Karen Smith [email protected]

614.227.2313

Claire [email protected]

513.870.6573

Q & A

6189374v3

April 19, 2013Karen Smith Claire Turcotte © Bricker & Eckler LLP 2013 1 6189374v3.

Documents

Transcript of April 19, 2013Karen Smith Claire Turcotte © Bricker & Eckler LLP 2013 1 6189374v3.