HIPAA in 2021:Overview and Updates

Misti Hill Carter, JD, PhD

A&M Rural & Community Health Institute (ARCHI)

Objectives:

Describe HIPAA provisions and Texas rules

Discuss HIPAA updates for telehealth and COVID

Identify recent examples of HIPAA violations and related fines

Legal ConceptsPrivacy & Confidentiality

� Privacy is a broader term. � Physical seclusion� Protection of personal information� Protection of personal identity� Ability to make choices without interference

� Confidentiality is narrower. Refers to the protection of personal information� Medical context à duty not to disclose

information

Acronyms • CE à Covered Entity

• PHI à Protected Health Information

• TPO à Treatment, payment, health care operations

• EHR à Electronic Health Record

• HHS à U.S. Department of Health & Human Services (“The Secretary”)

• HHSC à Texas Health and Human Services Commission (“The Commission”)

• THSA à Texas Health Services Authority

• AG à Texas Attorney General

Overview of HIPAA

Image: http://rylkov-fond.org/files/2016/04/back-to-basics.jpg

Federal Law:HIPAA (Health Insurance Portability and Accountability Act)

• Privacy Rule� Set standards regarding how we use and disclose

PHI� Covers ALL Protected Health Information (PHI)

• Security Rule� Protects electronic Protected Health Information

(ePHI)� Required ”Covered Entities” (CEs) & their

“Business Associates” (BAs) to ensure that ePHI is secure

• Breach Notification Rule� Requires CEs & BAs to notify consumers and HHS

• Enforcement Rule� Sets enforcement standards & civil penalties

2013 HIPAA Omnibus Rule (the “Final Rule”) –modified the four HIPAA rules

Privacy Rule• Establishes a set of rules to protect all PHI (Protected Health Information)

� Note à De-identified information is not protected

Wha

t is P

HI? All “individually identifiable health

information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

Source: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

Privacy Rule• Establishes a set of rules to protect all PHI (Protected Health Information)

� Note à De-identified information is not protected

• Applies to:� Covered Entities (CEs) – Health Plans, Health Care Clearinghouses, & Health Care

Providers� Business Associates (BAs) – individual or entity acting on behalf of a CE (the CE

should have a Business Associates Contract, or BAC, with every BA)

• CEs and BAs may not use or disclose protected information unless:� Permitted Use/Disclosure à for “TPO” or “treatment, payment, or healthcare operations”� Requests à the protected individual authorizes disclosure in writing

• Follows the principle of “minimum necessary” use and disclosure.

• Gives patients rights to their PHI

• Requires notice to patients

Security Rule• Established a national set of security standards for ePHI (Electronic

Protected Health Information)� Goal is to protect the confidentiality, integrity, and availability of

ePHI

• Requires three specific types of safeguards to secure ePHI:� Administrative safeguards� Technical safeguards� Physical safeguard

Texas Law:The Texas Medical Records Privacy Act (or HB 300)

• Effective September 1, 2012

• Broader reach than HIPAA:� Broader definition of “Covered Entity” or CE� New operational requirements:

� Notice & Authorization � Training� Disclosure� Patient Record Requests� Auditing

� Special breach notification rules� Greater enforcement and increased penalties

181.001 –Covered Entity

• CE under HIPAA or under Texas law à you must comply with the Texas Medical Records Privacy Act

• Texas defines CE as “any person who…� (A) for commercial, financial, or professional gain,

monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.

The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;

� (B) comes into possession of protected health information;

� (C) obtains or stores protected health information under this chapter; or

� (d) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.”

181.154(a) –Notice

• CEs must provide individuals with general notice that the individual’s PHI may be electronically disclosed.

• Notice may be provided in any of the following ways:� Posted in the CE’s place of business� On the CE’s website� Any other place an individual is

likely to see the notice

181.154(a) –Notice Example

Source: https://www.disabilityrightstx.org/files/HB_300_HIPPA_notice.pdf

181.154(b-c) –Authorization

• General Rule – CEs may not electronically disclose an individual’s PHI to any person without a separate authorization from the individual (or the individual’s legally authorized representative) for eachdisclosure.� Note à authorization may be given:

� In writing,� Electronically, OR� Verbally (*must be documented in

writing by the CE).

• Exceptions – Authorization is not required if:� Disclosure is made to another CE for

purposes of treatment, payment, health care operations or performing an insurance or HMO function; OR

� Otherwise required by state or federal law.

181.154(d-e) –Authorization

The Texas AG has created a standard authorization form

Final Note about CE definitionsThe notice and authorization requirements do not apply to “covered entity” as defined in the Tex. Ins. Code Sec. 602.001; only CEs as defined by HIPAA and Sec. 181 must comply.

Source: https://texasattorneygeneral.gov/files/agency/hb300_auth_form.pdf

181.101 Training• Requires CEs to train employees:

� Content à State & Federal law concerning PHI “as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity”

� Timing à Training must be completed within 90 days of hiring.� Material changes in State or Federal law à employee

must have training within one year of the date the material change takes effect.

� HHS says, “Industry best practices suggest that the entire workforce should be trained at least once every year and any time your practice changes its policies or procedures, systems, location, infrastructure, etc.”

� Proof à Employees must sign a verification (electronically or in writing) to show that they completed the training. CE must keep the verification for 6 years.

Image: http://www.imarketingbiz.net/wp-content/themes/revolution_tech-30/images/chuks/computer-training.jpg

181.153 Disclosure of PHI • General Rule: A CE may not disclose PHI

for direct or indirect remuneration.

• Exceptions: Disclosure of PHI to another CE for remuneration is allowed for:1. “Treatment, Payment, or Health care

operations”2. Performing an insurance or HMO

function; or3. As otherwise authorized by or

required by state or federal law.Note à direct or indirect payments for PHI may not exceed the CE’s “reasonable costs of preparing or transmitting the PHI.”

181.102 Patient Access to Records

• General Rule à offices have 15 business days to provide electronic records (Federal Rule is 30 days).� Office is using an EHR system that is

“capable of fulfilling the request”� Person sends a “written request”� Person can agree to accept another form

• Exceptions: Federal exceptions to release of PHI under HIPAA apply.

• Standard electronic format could be recommended� Health Information Exchange (HIE) Texas

� http://hietexas.org/providers

181.103 –Consumer WebsiteCreated

Source: https://texasattorneygeneral.gov/cpd/texas-health-information-privacy-laws-2013

181.206 Auditing • Texas HHSC may request that the U.S. Secretary of Health and Human Services perform an audit of a CE in Texas to determine HIPAA compliance. HHSC must monitor results of request.

• If Texas HHSC has evidence that a CE has committed violations that are egregious and constitute a pattern or practice, HHSC may:� Require the CE to perform and submit a

risk analysis OR � Texas HHSC may, alternatively, refer a CE

to a licensing agency for an audit

• Texas HHSC must report to the Texas Legislature on the number of federal audits conducted.

Breach Notification

Image: https://upload.wikimedia.org/wikipedia/commons/thumb/9/90/Mail-notification.svg/1024px-Mail-notification.svg.png

HIPAA – Breach Notification Rule

• Definition of Breach à “the acquisition, access, use, or disclosure of [PHI] in a manner not permitted…which compromises the security or privicay of the [PHI].

• Breach Analysis� Breach is presumed UNLESS the CE or BA

can prove that there is a low probability that the PHI has been compromised based on a risk assessment (four parts):� Type or nature and extent of the PHI� Who was the unauthorized person

involved� Whether the PHI was actually acquired

or viewed� Extent to which any risk has been

mitigated

HIPAA – Breach Notification Rule

Notification Rules – required if the breach involved unsecured PHI� Individuals à within 60 days

� HHS Secretary� More than 500 affected à within

60 days� Less than 500 affected à annual

reporting

� Media � More than 500 affected à within

60 days

Enforcement

Image: http://healthinformatics.wikispaces.com/file/view/funny1.jpg/32738200/301x251/funny1.jpg

Civil Penalties

Civil Penalties

HIPAA TEXAS HB 300

$100 per unknowing violation, up to $50,000 $5,000 per negligent violation

$1,000 per violation without willful neglect, up to $50,000 $25,000 per knowing or intentional violation

$10,000 per violation due to willful neglect, up to $50,000 $250,000 per violation made for financial gain

Penalty capped at $1.5 million annually Penalty capped at $250,000 annually if certain mitigatingfactors are met or $1.5 million annually if there is a pattern of violations

Recent Examples

Image: http://illinoisreview.typepad.com/.a/6a00d834515c5469e201bb082b926d970d-500wi

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Recent HIPAA ViolationsEntity Individuals

AffectedType of Breach Fine

Bayfront Health to Sharp Health

Varied Right to Access Varied ($200,000 to $3,500)

Excellus Health Plan Over 9.3 Million Cyber-attack $5.1 MillionCity Health Department

498 Unauthorized Access $202,400

Aetna 5,002; 11,887; 1,600 Online Disclosure and Mail Disclosures

$1 Million

CHSPSC Over 6 Million Cyber-attack $2.3 MillionAthens Orthopedic 208,557 Cyber-attack $1.5 MillionPremera Blue Cross Over 10.4 Million Cyber-attack $6.85 Million

Source: https://www.hhs.gov/about/news/index.html

Recent HIPAA ViolationsEntity Individuals

AffectedType of Breach Fine

Lifespan 20,431 Stolen Laptop $1.040 MillionDr. Porter Over 3,000 No Risk Analysis $100,000Sentara Hospitals 577 Mail Disclosures $2.175 MillionTX HHSC 6,617 Online Disclosures $1.6 MillionMedical Informatics Engineering

3.5 Million Compromised Employee ID

$100,0000

Touchstone Medical Imaging

Over 300,000 Online Disclosures $3 Million

Allergy Associates 1 Public Disclosure $125,000Boston Medical Center

Varied Public Disclosure $999,000

Source: https://www.hhs.gov/about/news/index.html

COVID-19 Federal Updates• HIPAA Enforcement and COVID

(February 3, March 28, & April 2, 2020)� HIPAA Privacy Rule allows disclosure of PHI for treatment and to

public health authorities. This does not extend to media outlets and the “minimum necessary” rule should be followed.

• Telehealth(March 17 and March 20, 2020)� OCR will not impose penalties for the good faith use of telehealth

during COVID-19 public health emergency. Any “non-public facing remote communication product” can be used. Allowed: Apple FaceTime, Facebook Messenger, and Skype. Not allowed: Facebook Live, Twitch, and TikToc.

• Media Access Limited(May 5, 2020)� Guidance for media outlets regarding capturing patients.

• Using Health Information Exchanges (HIE)(December 18, 2020)� HIPAA permits some disclosure of PHI to an HIE for reporting to a

public health authority engaged in public health activities.

• Enforcement discretion for online scheduling (January 19, 2021)� OCR will not impose penalties for HIPAA violations in connection

with the good faith use of online or web-based scheduling applications for COVID-19 vaccinations.

Source: Source: https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html

• Telehealth(March 14, 2020; updated September 2020)� Phone only encounters may establish a doctor-patient

relationship and be used for continuing care.� Same “standard of care” and “documentation”

requirements apply to telemedicine visits.� Follow HIPAA guidance regarding platforms.

• Chronic Pain RX Refills (March 19, 2020; updated March 1, 2021)� Telephone refills of certain prescriptions to established

chronic pain patients allowed if the patient has been “seen” (in-person or telemedicine using audio and video two-way communication) in the last 90 days.

� TAC 174.5 Update went into effect on March 3, 2021 at 12:01 a.m.

COVID-19 Texas Updates

Source: https://www.tmb.state.tx.us/page/coronavirus

Citations • Giederman, J. M., Moskop, J.C., & Derse, A.R. (2006). Privacy and confidentiality in emergency medicine: Obligations and challenges. Emergency Medicine Clinics of North America, 24, 633-656.

• Kulwicki, B. S. (2015). It’s five o’clock; do you know where your records are? Obligations of individuals and entities to secure protected health information. 18 SMU Sci & Tech. L. Rev. 455.

• U.S. Department of Health and Human Services (HHS). HIPAA for Professionals. http://www.hhs.gov/hipaa/for-professionals/index.html(retrieved 8/8/16).

• HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules. https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf (retrieved 8/8/16).

• U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) Breach Portal. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (retrieved 8/8/16)