April 19, 2013Karen Smith Claire Turcotte © Bricker & Eckler LLP 2013 1 6189374v3.
-
Upload
kareem-lease -
Category
Documents
-
view
216 -
download
2
Transcript of April 19, 2013Karen Smith Claire Turcotte © Bricker & Eckler LLP 2013 1 6189374v3.
Analysis of the HIPAA Omnibus (Final) Rule
April 19, 2013 Karen SmithClaire Turcotte
© Bricker & Eckler LLP 20131 6189374v3
© Bricker & Eckler LLP 20132
Introduction
Omnibus Rule Provisions for Discussion
Revisions to the Breach Notification Rule
Changes to Marketing, Fundraising, and Sale of PHI
Required Changes to the Content of the Notice of Privacy Practices
Enforcement
Business Associates and BA Agreements
Individual Access to PHI – Electronic Copies
Restrictions on the Disclosure of PHI to Payors
Additional Changes: PHI of Deceased Individuals, Disclosure of Immunization Records to Schools, GINA
Conclusion
Introduction
© Bricker & Eckler LLP 20133
Final HIPAA omnibus rule (“Omnibus Rule” or “Final Rule”) released January 17, 2013, and published January 25, 2013 (78 Fed. Reg. 5566)
Omnibus Rule implements regulations regarding numerous aspects of the HITECH Act
Effective March 26, 2013. Compliance date for CEs and BAs is September 23, 2013, for everything (except grandfathered BAs)
Note: abbreviations CE, PHI, BA, used in slides for efficiency, including in quotes from Omnibus Rule
Introduction
© Bricker & Eckler LLP 20135
Definition of Breach
“Breach means the acquisition, access, use, or disclosure of PHI in a manner not
permitted under subpart E of this part which compromises the security or privacy
of the PHI”
“Except as provided in paragraph (1) of this definition, an acquisition, access,
use, or disclosure of PHI in a manner not permitted under subpart E is presumed
to be a breach unless the CE or BA, as applicable, demonstrates that there is a
low probability that the PHI has been compromised based on a risk assessment
of at least the following factors: … [see slide 6]”
Changes Removal of Risk of Harm
Presumption of Breach
Changes to Breach Notification
© Bricker & Eckler LLP 20136
Four Objective Factors Nature and extent of the PHI involved
Unauthorized person who used the PHI or to whom the disclosure was made
Whether the PHI was actually acquired or viewed
Extent to which the risk to the PHI has been mitigated
Objective Risk Factors
© Bricker & Eckler LLP 20137
The Final Rule adopted the three exceptions found in the Interim Final Rule without modification Unintentional acquisition, access or use of PHI
Inadvertent disclosure of PHI
Unauthorized disclosure without the ability to retain the information
Exceptions
© Bricker & Eckler LLP 20138
The Final Rule adopts all of the notification requirements with a minor change
Covered entities are now required to notify HHS of all breaches affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were discovered
Notifications
© Bricker & Eckler LLP 20139
The Final Rule requires a covered entity to perform a breach assessment if a limited data set is used or disclosed in an impermissible manner even if the limited data set excludes zip codes and birth dates
Limited Data Sets
© Bricker & Eckler LLP 201310
All covered entities must comply with the new breach notification requirements by September 23, 2013 Update policies & procedures for reporting, analyzing
and documenting a possible breach
Train workforce members regarding revised policies & procedures
Compliance
© Bricker & Eckler LLP 201312
“Marketing” means: “To make a communication about a product or service that encourages recipients to purchase or use the product or service”
Final Rule requires authorization for all treatment and health care operations communications where the CE receives “financial remuneration” for making the communications from a third party whose products or services are being
The authorization must state that “financial remuneration is involved (note: “financial remuneration” does not include in-kind or non-financial benefits)
Marketing After Omnibus Rule
© Bricker & Eckler LLP 201313
Exceptions from “marketing” include: If “financial remuneration” is reasonably related to the CE’s
cost of making the communication:
• Communications for refill reminders or about drugs or biologics currently prescribed for the individual and generic equivalents
• Communications reminding patients to adhere to instructions about their currently prescribed medications
• Communications about drug delivery systems when an individual is prescribed a self-administered drug or biologic
• Costs of labor, supplies and postage to make the communication are “reasonably related” (e.g., drug manufacturer can cover these costs)
Marketing After Omnibus Rule
© Bricker & Eckler LLP 201314
Exceptions from “marketing” (cont’d):
If the CE receives no “financial remuneration”:
• Communications about the CE’s own health-related products and services
• Case management or care coordination communications regarding alternative treatments, therapies, health care providers, or settings of care
Marketing After Omnibus Rule
© Bricker & Eckler LLP 201315
Face-to-face communications (even if CE receives “financial remuneration”); telephone is not face-to-face
Promotional gifts of nominal value
Communications promoting health in general that do not promote a product or service from a particular provider (e.g., promoting a healthy diet)
Communications about government and government-sponsored programs
Communications that do not involve PHI (e.g., CE uses a purchased mailing list not derived from PHI)
Other Omnibus RuleExceptions to “Marketing”
© Bricker & Eckler LLP 201316
The CE can use certain limited PHI for purposes of raising funds for its own benefit
PHI limited to demographic information relating to an individual and date of health care provided to an individual
Concern that limited set of permitted PHI restricts a CE’s ability to target fundraising communications
Particular concern about ability to avoid inappropriate communications to patients who may have had bad outcomes
Fundraising Before Omnibus Rule
© Bricker & Eckler LLP 201317
Expanded categories of PHI that can be used for fundraising without authorization
If a CE meets specified conditions, it can use or disclose PHI to a BA or an institutionally-related foundation for fundraising without patient authorization including: Demographic information (name, address, contact information,
age, gender, DOB) Department of service (e.g., cardiology) Treating physician Outcome information (including death or sub-optimal outcome) Health insurance status
Fundraising After Omnibus Rule
© Bricker & Eckler LLP 201318
To use or disclose PHI for fundraising, the CE must:
Include in its NPP a statement that the CE may contact the individual for fundraising and the individual has a right to opt-out
If an individual does opt-out, their choice must be treated as a revocation of authorization, which then prohibits the CE from sending further fundraising communications
In each fundraising communication, provide a clear and conspicuous opportunity for the individual to opt-out of fundraising communications
Fundraising Conditions CEs Must Meet
© Bricker & Eckler LLP 201319
Ensure that the method to opt-out of fundraising communications cannot cause the individual to incur an undue burden or more than a nominal cost
Not condition treatment or payment on the individual’s choice with respect to receipt of fundraising communications
Not make fundraising communications to an individual who has elected not to receive fundraising communications
Fundraising Conditions CEs Must Meet
© Bricker & Eckler LLP 201320
CEs may provide individuals with a method to opt back in. CEs can choose method to opt-out; suggestions include:
Toll-Free Numbers E-mail address Requiring return of preprinted postcard (not an “undue burden”) But not requiring a written letter (is an “undue burden”)
Size of population to whom sending communications and geographic distribution and other similar factors should be considered in choosing an appropriate opt-out method
Making a donation after having opted out is not an appropriate opt-in method; individual must make a separate election to opt-in
Methods to Opt-Out and Back In
© Bricker & Eckler LLP 201321
Covered Entities have discretion to determine the scope of the opt-out
If a Covered Entity can track campaign-specific opt-outs, it can use a campaign-specific opt-out
Covered Entities can permit individuals to elect whether to opt-out of all fundraising communications, or only for specific campaign(s)
Generally, communication must clearly inform the individual of their options
Scope of Opt-Out
© Bricker & Eckler LLP 201322
No direct or indirect receipt of remuneration in exchange for receiving PHI, except if pursuant to patient authorization meeting specified requirements
Sale includes access, license, lease or transfer of ownership of PHI
Remuneration includes both financial and in-kind (unlike “marketing”)
Post-Omnibus Rule Sale of PHI
© Bricker & Eckler LLP 201323
Public health purposes
Research purposes where only remuneration is a reasonable cost-based fee to cover the costs of preparation and transmittal of data
Treatment and payment purposes
Sale, transfer, merger or consolidation of all or part of the Covered Entity (or related due diligence)
Services of a business associate (or subcontractor) at the request of the Covered Entity and only payment is for such services
Exceptions to Prohibitionon Sale of PHI
© Bricker & Eckler LLP 201324
Providing an individual with access to his/her own PHI
When required by law
Other purposes permitted by the Privacy Rule, where remuneration received is a reasonable cost-based fee to cover the costs of preparation and transmittal or a fee otherwise expressly permitted by law (e.g., disclosure of limited data sets for permitted purposes)
Exceptions to the Prohibitionon Sale of PHI (cont’d)
© Bricker & Eckler LLP 201326
Additions to the NPP
Statement that the following uses and disclosures will be made only with patient authorization:
• Uses and disclosures for marketing purposes
• Uses and disclosures for the sale of PHI
• Most uses and disclosures of psychotherapy notes
• Other uses and disclosures not described in the NPP
Right to a notice in the event of breach
Right to opt-out of fundraising communications
Notice of Privacy Practices
© Bricker & Eckler LLP 201327
Additions to the NPP – Providers Only
Right to restrict disclosures of PHI to health plans if an individual has paid for services out-of-pocket, in full, and the individual requests that the provider not disclose PHI related solely to those services
Notice of Privacy Practices
© Bricker & Eckler LLP 201328
Additions to the NPP – Health Plans Only
Statement that the health plan is prohibited from using or disclosing genetic information for underwriting purposes
Exception for certain issuers of long-term care policies
Notice of Privacy Practices
© Bricker & Eckler LLP 201329
Deletion from the NPP
Statement that the CE may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits or services
• HHS notes that CEs may choose to leave this in the NPP
Notice of Privacy Practices
© Bricker & Eckler LLP 201330
Posting and Distribution of Revised NPP
HHS deems this to be a material revision of the NPP
All CEs must revise their NPP by September 23, 2013
Providers must make the revised NPP available to existing patients upon request, post the revised NPP to their websites (if applicable), and post the revised NPP in a prominent location on the premises
New patients who receive services after modification of the NPP must be provided with a copy of the revised NPP
Health Plans must either distribute the revised NPP within 60 days of the change (if they do not post the NPP to a website) or post the NPP to their website and notify all members of the changes in the next annual mailing
Notice of Privacy Practices
© Bricker & Eckler LLP 201332
Determination of Civil Monetary Penalties (CMPs) Retains proposed rule’s CMP structure for violations
based on tiered levels of culpability
Enforcement
Violation Category
Penalty for Each Violation
Maximum for All Violations of an Identical Provision in a Calendar Year
Did Not Know $100-$50,000 $1,500,000
Reasonable Cause $1,000-$50,000 $1,500,000
Willful Neglect - Corrected
$10,000-$50,000 $1,500,000
Willful Neglect – Not Corrected
$50,000 $1,500,000
© Bricker & Eckler LLP 201333
Determination of Civil Monetary Penalties (CMPs) HHS will not impose maximum penalty in all cases
CMPs will be calculated on a case-by-case basis depending on these factors:
• Nature and extent of violation
• Nature and extent of resulting harm
• History of non-compliance of the entity
HHS will consider prior non-compliance even if there was no formal finding of a violation
• Financial condition of the entity
Enforcement
© Bricker & Eckler LLP 201334
Affirmative Defenses Prohibits imposition of penalties for any violation that is
corrected within 30 days, as long as the violation was not due to willful neglect
Removes affirmative defense that covered entity did not know and with exercise of reasonable diligence could not have known of a violation (Now Tier 1 violation)
CMP may not be imposed if a criminal penalty has already been imposed for the violation
Enforcement
© Bricker & Eckler LLP 201335
Investigations HHS no longer has discretion as to whether to initiate an
investigation when its preliminary review indicates there may be a violation due to willful neglect
HHS retains sole discretion to decide whether to initiate an investigation or compliance review when its preliminary review indicates there may be a violation and the degree of culpability was less than willful neglect
HHS is no longer required to try to resolve violations by informal means
Enforcement
© Bricker & Eckler LLP 201336
Liability for Business Associate “Agents” Adopts proposal to make covered entities and business
associates liable for their business associates who are their agents under federal agency law
Whether a business associate is considered an agent of the CE will be a fact-specific determination
Labels used by the parties (e.g., “independent contractor”) will not control whether an agency relationship exists
Business associate may be an agent even when acting in violation of a business associate agreement, if acting for the benefit of the covered entity
Enforcement
© Bricker & Eckler LLP 201338
HITECH introduced radical changes: BAs directly subject to certain security standards and
the privacy requirements set forth in HITECH administrative safeguards 45 CFR 164.308 physical safeguards 45 CFR 164.310 technical safeguards 45 CFR 164.312 policies, procedures and documentation requirements 45 CFR
164.316
BAs subject to requirements under Notice of Breach rules
BAs subject to civil and criminal penalties same as CEs
Business Associates
© Bricker & Eckler LLP 201339
Adopts HITECH changes and also makes new changes for BAs:
Makes additional Security Rules applicable to Bas
Applies minimum necessary rule to BAs
Expands definition of “Business Associate” to include subcontractors of BAs
Clarifies definition of BAs to include Patient Safety Organizations, Health Information Exchanges, Personal Health Records (or entities offering such services on behalf of a CE)
Makes CEs liable for violations of BAs that are acting as agents of the CEs
Business Associates
© Bricker & Eckler LLP 201340
Omnibus Rule revisions to specify BA’s permitted and required uses and disclosures of PHI
BAs not subject to all Privacy Rule requirements. BA not required to comply with Notice of Privacy Practices requirement, for example
But Omnibus Rule revised Privacy Rule to require BAs to comply with general rule on use/disclosure of PHI
BAs can use or disclose PHI per the BA contract or as permitted by the Privacy and Security Rule
Privacy Rule
© Bricker & Eckler LLP 201341
HHS commentary: “BAs are directly liable under the HIPAA Rules for impermissible uses
and disclosures, for a failure to provide breach notification to the covered entity, for a failure to provide access to a copy of electronic PHI to either the CE, the individual, or the individual’s designee (whichever is specified in the BAA), for a failure to disclose PHI where required by the Secretary to investigate or determine the BA’s compliance with the HIPAA Rules, for a failure to provide an accounting of disclosures, and for a failure to comply with the requirements of the Security Rule. BAs remain contractually liable for other requirements of the BAA…”
BA “becomes” a BA by definition, not by the act of signing a BAA. BA liable under HIPAA upon acting as a BA; not contingent on executed BAA
Direct Liability
© Bricker & Eckler LLP 201342
Omnibus Rule expressly makes applicable to BAs: “Minimum necessary applies. When using or disclosing protected
health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
Note: applies to BAs using or disclosing PHI and disclosures by CEs to BAs and requests from BAs to CEs. CEs should not disclose more PHI than necessary to BAs; having BAA does not allow unlimited exchange of PHI
Minimum Necessary Rule
© Bricker & Eckler LLP 201343
Omnibus Rule makes following additional provisions of the Security Rule applicable to BAs: 45 CFR 164.306: Security Standards
“(a) General requirements. Covered entities and business associates must do the following:
• Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part
• Ensure compliance with this subpart by its workforce”
45 CFR 164.314: Organizational Requirements
Business Associate contract requirements
Security Rule
© Bricker & Eckler LLP 201344
Omnibus Rule adds language to the definition of “Business Associate” to clarify that Patient Safety Organizations, Health Information Exchanges, and Personal Health Records, (or entities offering these services) are BAs
45 CFR 160.103:
“(1) [Business associate means] a person who (i) On behalf of [the CE] creates, receives, maintains, or transmits [PHI] for … patient safety activities listed at 42 CFR 3.20 …
(3) [Business associate includes: (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to [PHI] to a [CE] and that requires access on a routine basis to such [PHI]. (ii) A person that offers a personal health record to one or more individuals on behalf of a [CE] …”
PSOs, HIEs, PHRs
© Bricker & Eckler LLP 201345
Omnibus Rule expands the definition of “Business Associate” to include subcontractors of BAs who create, receive, maintain or transmit PHI from the BA
Subcontractors are persons to whom a BA has delegated a function, activity, or service the BA has agreed to perform for a CE or BA and where that function, activity, or service involves the creation, receipt, maintenance, or transmission of PHI
Can have multiple downstream subcontractors
BA must have a BA Agreement with each subcontractor, and subcontractors must have BA Agreements with its subcontractor BAs
Subcontractors
© Bricker & Eckler LLP 201346
Subcontractors BA Agreements: Not required for CE to have BAA with subcontractors
of the CE’s BAs
BAA between BA and subcontractor may not permit subcontractor to use/disclose PHI in manner not permitted by the BA. Each BAA in a chain, from CE to BA to subcontractors, must be as stringent or more than the last
Compliance date for having these in place is September 23, 2013; subject to extension for grandfathered agreements, see slide 21
Subcontractors
© Bricker & Eckler LLP 201347
You will need to revise your BAAs because: Additional provisions of Security Rules are now applicable to BAs
Minimum necessary rule now applicable to BAs
Definition of “breach” has changed. If the BAA defines breach or outlines assessment of what is a breach, this is not likely to comply with Omnibus Rule requirements
While old BAAs usually said “BA must ensure subcontractor agrees to the same restrictions,” you will want to make clear that this means BA must enter into a BAA with subcontractors
Consider adding indemnification of CE by BA for BA and its subcontractors’ compliance with Privacy and Security Rule requirements
Revisions to BA Agreements
© Bricker & Eckler LLP 201348
Compliance date: September 23, 2013
Extended compliance date for grandfathered BAAs: September 23, 2014
If the BAA was in place before January 25, 2013, and complied with the then-current rules, and it is not renewed or modified on or after March 26, 2013
Applies to agreements between BAs and subcontractors, but note must have had written agreement that complied with 45 CFR 164.314(a) and 45 CFR 164.504(e)
Revisions to BA Agreements
© Bricker & Eckler LLP 201350
Individuals may request and CEs must now provide an individual with a copy of their PHI that is maintained by the CE as electronic PHI in a designated record set, in the electronic form and format requested by the individual if such format is readily producible
If the requested format is not readily producible, the CE must offer to produce the electronic PHI in at least one readable electronic format
If the individual declines all available electronic formats, provide a hard copy
Individual Access to PHI – New Requirements
© Bricker & Eckler LLP 201351
CEs do not need to purchase new software or hardware to accommodate requests for various types of formats; however, they must be able to provide some form of readable electronic copy
For CEs with medical records in mixed media (i.e., some paper and some electronic PHI), the CE may provide a combination of electronic and hard copies to the individual
Records maintained in hard copy do not need to be scanned
Access – Clarifications
© Bricker & Eckler LLP 201352
A CE is not required to use an individual’s flash drive or other device to transfer the electronic PHI if the CE has security concerns regarding the external portable media
If an individual requests to receive the electronic copy via unencrypted email and secure email is unavailable, the CE may decide whether or not to send the electronic copy via unencrypted email
However, if unencrypted email is used, the CE must advise the individual of the risk that the information could be read by a third party
Access – Clarifications
© Bricker & Eckler LLP 201353
If requested by an individual, a CE must transmit the electronic copy directly to another person designated by the individual
HHS clarified that CEs may rely on information provided by the individual regarding the third-party recipient, but they must implement policies and procedures to verify the identity of any person requesting PHI and implement reasonable safeguards to protect the information disclosed
Access – Third Parties
© Bricker & Eckler LLP 201354
CEs may charge reasonable cost-based fees to individuals for providing access to PHI, including providing a copy in electronic format, including labor costs,
supplies for creating electronic media (e.g., discs, flash drives) if the individual requests the copy on portable media, and
postage
BA system maintenance, storage cost, new terminology, retrieval fees not permitted
Access – Fees
© Bricker & Eckler LLP 201355
Under the state law preemption provisions of HIPAA, a state law imposing lower costs limits would apply. Conversely, if state law permits higher costs, then the lower HIPAA limits would apply
Access – Fees and Preemption
© Bricker & Eckler LLP 201356
The Final Rule decreases the total time CEs have to respond to requests for access from 90 to 60 days (by removing the provision allowing an additional 30 days if PHI is not maintained on-site)
CEs may provide the individual written notice of a one-time extension of up to 30 days, including the reason for the delay and the expected date of completion
Access – Timing
Restrictions on Disclosure to PayorsAdditional Issues: Deceased
Individuals, Immunization Records, GINA
Karen Smith
57 © Bricker & Eckler LLP
© Bricker & Eckler LLP 201358
The general rule is that a CE is not required to accept restrictions on the use and disclosure of PHI
Final Rule created an exception, and requires a CE to agree to a restriction if:
the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the CE in full
Restrictions
© Bricker & Eckler LLP 201359
CEs are not required to create separate medical records or otherwise segregate PHI subject to a restriction
CEs will need to flag restricted PHI or make a notation in the record that the PHI has been restricted
CEs are not required to abide by a restriction if an individual’s payment is dishonored, but they must make a reasonable effort to contact the individual and obtain payment prior to billing a health plan
Restrictions
© Bricker & Eckler LLP 201360
The Final Rule limits the time period that PHI of deceased individuals must be protected to 50 years
This is not a record retention requirement
A covered entity may disclose a deceased individual's PHI to family members and others who were involved in the care or payment for care of the individual prior to death, unless the disclosure is inconsistent with any prior expressed preference of the individual
Deceased Individuals
© Bricker & Eckler LLP 201361
The Final Rule permits a CE to disclose proof of immunization to a school if the school is required by law to have such information prior to admitting the student
Written authorization will no longer be required
CEs are required to obtain written or oral agreement from a parent or guardian and document the agreement
A signature is not required
An email from the parent, or a notation of a phone call in the child’s medical record or elsewhere would suffice as documentation
Immunization Records
© Bricker & Eckler LLP 201362
Adopts the definition of “genetic information” from Genetic Information Nondiscrimination Act of 2008 (GINA), which includes:
The individual’s genetic tests Genetic tests of family members Family medical history
Clarifies that tests such as HIV tests, blood counts, cholesterol or liver function tests, or tests to detect the presence of alcohol or drugs, are not genetic information
Defines genetic information to include information about a fetus or embryo
Specifically excludes age and sex from the definition of genetic information
Genetic Information
© Bricker & Eckler LLP 201363
Prohibits the use of genetic information for underwriting
“Underwriting,” includes the following: the determination of eligibility and enrollment
premium or contribution amounts, including reduced cost sharing amounts or rewards under a wellness program
the application of any pre-existing condition exclusion
other activities related to the creation, renewal or replacement of a contract of health benefits
The use of genetic information is permitted when an individual is seeking a particular benefit and the genetic information is needed to determine the medical appropriateness of providing the benefit
Genetic Information
© Bricker & Eckler LLP 201364
The prohibition on using genetic information for underwriting under GINA is expanded to include all entities included in the definition of “health plan,” except for long term care plans e.g. Medicare, Medicaid, high risk pools, excepted benefits
such as dental and vision
The prohibition does not apply to providers
The prohibition applies to all genetic information from the compliance date of the Final Rule forward, regardless of when or where the genetic information originated
Genetic Information
© Bricker & Eckler LLP 201365
Compliance Date
CEs must be in compliance with the Final Rule by September 23, 2013 (with exception of grandfathered BA Agreements)
This means your policies and procedures, BA Agreements and NPPs must be revised by September 23, 2013
Conclusion
© Bricker & Eckler LLP 201366
Resources
HIPAA Regulations: www.bricker.com/hipaa
eAlerts: www.incomplianceconsulting.com/services/hipaa-alerts
On-line Compliance Program:www.bricker.com/hipaa
www.incomplianceconsulting.com/services/hipaa-consulting-services
Conclusion
© Bricker & Eckler LLP 201367
Karen Smith [email protected]
614.227.2313
Claire [email protected]
513.870.6573
Q & A
6189374v3