1
HIPAA:
The New Era
Darrel l W. Contreras, E s q . , LH R M , C H P C , C H C , C H R C
Clinical Practice Compliance ConferencePhiladelphia, PAOctober 15, 2013
Agenda2
� Review of the Omnibus Rule
� Highlight Critical Elements
� Application - From Rule to Practice
� OCR Investigations and Penalty Calculations
� Mitigating Risk
� Summary/Q & A
2
• Implements HITECH provisions
• Compliance Date – September 23, 2013
• Next step in HIPAA Compliance
HIPAA Omnibus Rule
3
HIPAA Omnibus Rule - Changes4
� Business Associates and subcontractors
� Breach notification
� Marketing
� Sale of PHI
� Fundraising
� Notice of Privacy Practices
� Individual access to ePHI
� Third party designation for receipt of PHI
� Research
� Decedent PHI
� Student Immunization Records
� Restriction on health plan disclosures
3
Review of Critical Elements5
Business Associates and Subcontractors:
� “Maintains” now included in the definition of Business Associate
� Anyone who stores PHI, even if it is not accessed, is a BA
� Privacy protection requirements are not extended to subcontractors of business associates
� All Business Associates must comply with the Security Rule requirements for safeguards:
� Administrative
� Physical
� Technical
� BAs now have Civil and Criminal liability
� Covered Entities are responsible for breaches of BAs through “Agency Liability”
Application – Business Associate Agreements
6
The Impact of BA Changes to Covered Entities:
� The Covered Entities (CE) does not need a BAA with a subcontractor� The BA must have a BAA with the subcontractor
� The subcontractor must agree to the same restrictions and conditions as the BA
� CEs should:� Revise their BAA to require subcontractor compliance
� Obtain assurances (in the BAA) that the BA monitors compliance by the subcontractor
� Consider indemnification clause in the BAA
� CEs are responsible no matter what…try to protect yourself
4
Review of Critical Elements7
Breach Notification Rules:
� Old Rule – A reportable breach occurs if 3 elements are present:
1. Violation of the Privacy Regulations
2. Unsecured PHI
3. Substantial risk of financial, reputational, or other harm to the individual
� New Rule – A reportable breach is PRESUMED to have occurred if:
1. There is a violation of the Privacy Regulations that includes
2. Unsecured PHI
Unless … “low probability” that PHI has been compromised
Review of Critical Elements8
Breach Notification (Continued):
� “Low Probability” is based on 4 factors:
� What was the nature and extent of the protected health information (PHI) involved, including the types of identifiers in the information and the likelihood of re-identification?
� To whom was the unauthorized information disclosed?
� Was the PHI actually acquired or viewed?
� What was the extent to which the risk to PHI has been mitigated?
5
Application – Breach Notification Requirements
9
The Impact of Breach Notification changes:
� Change your risk assessment to evaluate the 4 factors
� As a practical matter…� The outcome of your assessment may not change
� Obtain assurances (in the BAA) that the BA monitors compliance by the subcontractor
� Consider indemnification clause in the BAA
� CEs are responsible no matter what…try to protect yourself
Review of Critical Elements10
Restrictions on Health Plan Disclosures:
� New Rule – Patients may restrict information provided to health plans if:
1. If the patient requests the restriction;
2. The patient has paid in full for the service or healthcare item;
3. The disclosure would have been for payment or healthcare operations and is not required by law.
6
Application – Breach Notification Requirements
11
The Impact of Restrictions on Disclosures to Health Plans:
� Determine the services for which patients might want to restrict disclosure
� Evaluate your record system for mechanisms to flag these disclosures
� Considerations:
� What happens if subsequent treatment
� As a practical matter…
� The outcome of your assessment may not change
� Develop your risk assessment in advance
Review of Critical Elements12
Notice of Privacy Practices (NPP):
� Covered Entities must amend their NPP� Patient authorization is required for:
� Most uses and disclosures of psychotherapy notes
� Uses and disclosures for marketing
� Sale of PHI
� All other uses and disclosures not described in the NPP
� If PHI is used for fundraising, the individual has the right to opt out
� Right to restrict disclosures to health plans
� Right to be notified of a breach
7
Application – Notice of Privacy Practices13
Impact of NPP Changes:
� Changes to the NPP are “material”
� Patient notification is required…
� Healthcare providers must:
� Prominently post the revised NPP
� A summary of the NPP may be posted IF the full NPP is available
� Make the NPP available upon request
� New patients must receive the NPP
� Good faith acknowledgement of receipt
� NPP may be e-mailed
Review of Critical Elements14
Individual Access to ePHI
� If PHI is maintained electronically� Even if PHI is in one or more designated record sets
� If requested by the individual…� A copy of ePHI must be provided in the form and format requested
� If not readily producible…� In a readable electronic form and format “as agreed to by the individual
and the CE”
8
Application – Individual Access to ePHI15
Impact of ePHI access changes:
� Goal is to move to electronic access
� CEs are not required to purchase new systems to satisfy the requirement
� Rely on “Reasonableness” standard
� Include ALL PHI in the designated record set
� Example: Photographs linked to the record
� Paper PHI is not required to be scanned
� May send PHI via unencrypted e-mail if…� The individual has been advised of and accepts the security risks
� CE should amend their request “form” to include advisory
OCR Investigations
� Snooping in a medical record
� Unauthorized disclosure of health information
� PHI placed in the regular trash
� Lost or stolen laptop
� Cell phone or personal camera pictures of patient’s body parts or X-rays
� Top 5 OCR investigation issues with Corrective Action Required:
1. Impermissible Uses & Disclosures
2. Safeguards
3. Access
4. Minimum Necessary
5. No NPP (Notice of Privacy Practices)
Source: HHS OCR Website:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/top5issues.htmlite
16
16
9
17
Civil Monetary Penalties from ARRA:
Penalty Calculation
Violation StandardMinimum Penalty
(per violation)
Maximum Penalty
(per violation)
Not known by the entity and could not have been discovered with reasonable diligence
$100 $50,000
Reasonable cause, but not from willful neglect $1,000 $50,000
Willful neglect, but corrected within 30 days of discovery
$10,000 $50,000
Willful neglect and not corrected within 30 days
$50,000 $50,000
Penalty cap = $1,500,000
Penalty Calculations18
Greatest liability amount for a privacy investigation?
$1,500,000
NOT SO FAST!
1. Limit is “per identical violation” AND
2. “Per calendar year”
10
Penalty Calculations19
Example: Cignet Health Center (Maryland, Feb. 2011)
CMP Imposed: $4,351,000
Violations:
� Failure to provide access to records for 41 individuals
� Failure to cooperate
Timeframe:
� 2008, 2009, and 2010
How did $1,500,000 become $4,351,000?
Penalty Calculations20
� 2008 limits $100 per violation, $25,000 per year
� Violation 1 – Failure to provide access
� Each patient x each day x $100
� 2008 - $27,800
� 2009 - $926,100
� 2010 - $397,700
� Total: $1,351,000
� Violation 2 – Failure to cooperate
� $50,000 per patient per day
� For each calendar year: 2009 and 2010
� “Total exceeds calendar year limit” - $1,500,000 per year
� Total: $3,000,000
11
Mitigating Risk21
� Pilot program Summary� 20 pilot audits performed and results analyzed
Source: Sanchez, Linda, 2012 HIPAA Privacy and Security Audits, http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-
2_lsanches_ocr-audit.pdf (last accessed 1/21/13)
Mitigating Risk22
Privacy findings:
� Review process for denials of patient access to records;
� Failure to provide appropriate patient access to records;
� Lack of policies and procedures;
� Uses and disclosures of decedent information;
� Disclosures to personal representatives; and
� Business associate contracts.
12
Mitigating Risk23
Security findings:
� User activity monitoring;
� Contingency planning;
� Authentication/integrity;
� Media reuse and destruction;
� Risk assessment; and
� Granting and modifying user access.
Mitigating Risk24
OCR Audit protocol� First posted on OCR website on June 26, 2012
� Privacy Rule (78):
1. Notice of privacy practices for PHI
2. Rights to request privacy protection for PHI
3. Access of individuals to PHI
4. Administrative requirements
5. Uses and disclosures of PHI
6. Amendment of PHI
7. Accounting of disclosures.
� Security Rule (81):
1. Administrative safeguards
2. Physical safeguards
3. Technical safeguards
� Breach Notification Rule (10)
13
Mitigating Risk25
Review the OCR Audit protocol:
Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
26
� Mitigating Risk
� Develop a Risk Assessment for breach notification
� Revise your NPP
� Review plan to segregate health plan requests
� Update the BAA
� Prepare for individual access to ePHI
� Review the OCR Audit protocol
Summary
14
2727