1

HIPAA:

The New Era

Darrel l W. Contreras, E s q . , LH R M , C H P C , C H C , C H R C

Clinical Practice Compliance ConferencePhiladelphia, PAOctober 15, 2013

Agenda2

� Review of the Omnibus Rule

� Highlight Critical Elements

� Application - From Rule to Practice

� OCR Investigations and Penalty Calculations

� Mitigating Risk

� Summary/Q & A

2

• Implements HITECH provisions

• Compliance Date – September 23, 2013

• Next step in HIPAA Compliance

HIPAA Omnibus Rule

3

HIPAA Omnibus Rule - Changes4

� Business Associates and subcontractors

� Breach notification

� Marketing

� Sale of PHI

� Fundraising

� Notice of Privacy Practices

� Individual access to ePHI

� Third party designation for receipt of PHI

� Research

� Decedent PHI

� Student Immunization Records

� Restriction on health plan disclosures

3

Review of Critical Elements5

Business Associates and Subcontractors:

� “Maintains” now included in the definition of Business Associate

� Anyone who stores PHI, even if it is not accessed, is a BA

� Privacy protection requirements are not extended to subcontractors of business associates

� All Business Associates must comply with the Security Rule requirements for safeguards:

� Administrative

� Physical

� Technical

� BAs now have Civil and Criminal liability

� Covered Entities are responsible for breaches of BAs through “Agency Liability”

Application – Business Associate Agreements

6

The Impact of BA Changes to Covered Entities:

� The Covered Entities (CE) does not need a BAA with a subcontractor� The BA must have a BAA with the subcontractor

� The subcontractor must agree to the same restrictions and conditions as the BA

� CEs should:� Revise their BAA to require subcontractor compliance

� Obtain assurances (in the BAA) that the BA monitors compliance by the subcontractor

� Consider indemnification clause in the BAA

� CEs are responsible no matter what…try to protect yourself

4

Review of Critical Elements7

Breach Notification Rules:

� Old Rule – A reportable breach occurs if 3 elements are present:

1. Violation of the Privacy Regulations

2. Unsecured PHI

3. Substantial risk of financial, reputational, or other harm to the individual

� New Rule – A reportable breach is PRESUMED to have occurred if:

1. There is a violation of the Privacy Regulations that includes

2. Unsecured PHI

Unless … “low probability” that PHI has been compromised

Review of Critical Elements8

Breach Notification (Continued):

� “Low Probability” is based on 4 factors:

� What was the nature and extent of the protected health information (PHI) involved, including the types of identifiers in the information and the likelihood of re-identification?

� To whom was the unauthorized information disclosed?

� Was the PHI actually acquired or viewed?

� What was the extent to which the risk to PHI has been mitigated?

5

Application – Breach Notification Requirements

9

The Impact of Breach Notification changes:

� Change your risk assessment to evaluate the 4 factors

� As a practical matter…� The outcome of your assessment may not change

� Obtain assurances (in the BAA) that the BA monitors compliance by the subcontractor

� Consider indemnification clause in the BAA

� CEs are responsible no matter what…try to protect yourself

Review of Critical Elements10

Restrictions on Health Plan Disclosures:

� New Rule – Patients may restrict information provided to health plans if:

1. If the patient requests the restriction;

2. The patient has paid in full for the service or healthcare item;

3. The disclosure would have been for payment or healthcare operations and is not required by law.

6

Application – Breach Notification Requirements

11

The Impact of Restrictions on Disclosures to Health Plans:

� Determine the services for which patients might want to restrict disclosure

� Evaluate your record system for mechanisms to flag these disclosures

� Considerations:

� What happens if subsequent treatment

� As a practical matter…

� The outcome of your assessment may not change

� Develop your risk assessment in advance

Review of Critical Elements12

Notice of Privacy Practices (NPP):

� Covered Entities must amend their NPP� Patient authorization is required for:

� Most uses and disclosures of psychotherapy notes

� Uses and disclosures for marketing

� Sale of PHI

� All other uses and disclosures not described in the NPP

� If PHI is used for fundraising, the individual has the right to opt out

� Right to restrict disclosures to health plans

� Right to be notified of a breach

7

Application – Notice of Privacy Practices13

Impact of NPP Changes:

� Changes to the NPP are “material”

� Patient notification is required…

� Healthcare providers must:

� Prominently post the revised NPP

� A summary of the NPP may be posted IF the full NPP is available

� Make the NPP available upon request

� New patients must receive the NPP

� Good faith acknowledgement of receipt

� NPP may be e-mailed

Review of Critical Elements14

Individual Access to ePHI

� If PHI is maintained electronically� Even if PHI is in one or more designated record sets

� If requested by the individual…� A copy of ePHI must be provided in the form and format requested

� If not readily producible…� In a readable electronic form and format “as agreed to by the individual

and the CE”

8

Application – Individual Access to ePHI15

Impact of ePHI access changes:

� Goal is to move to electronic access

� CEs are not required to purchase new systems to satisfy the requirement

� Rely on “Reasonableness” standard

� Include ALL PHI in the designated record set

� Example: Photographs linked to the record

� Paper PHI is not required to be scanned

� May send PHI via unencrypted e-mail if…� The individual has been advised of and accepts the security risks

� CE should amend their request “form” to include advisory

OCR Investigations

� Snooping in a medical record

� Unauthorized disclosure of health information

� PHI placed in the regular trash

� Lost or stolen laptop

� Cell phone or personal camera pictures of patient’s body parts or X-rays

� Top 5 OCR investigation issues with Corrective Action Required:

1. Impermissible Uses & Disclosures

2. Safeguards

3. Access

4. Minimum Necessary

5. No NPP (Notice of Privacy Practices)

Source: HHS OCR Website:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/top5issues.htmlite

16

16

9

17

Civil Monetary Penalties from ARRA:

Penalty Calculation

Violation StandardMinimum Penalty

(per violation)

Maximum Penalty

(per violation)

Not known by the entity and could not have been discovered with reasonable diligence

$100 $50,000

Reasonable cause, but not from willful neglect $1,000 $50,000

Willful neglect, but corrected within 30 days of discovery

$10,000 $50,000

Willful neglect and not corrected within 30 days

$50,000 $50,000

Penalty cap = $1,500,000

Penalty Calculations18

Greatest liability amount for a privacy investigation?

$1,500,000

NOT SO FAST!

1. Limit is “per identical violation” AND

2. “Per calendar year”

10

Penalty Calculations19

Example: Cignet Health Center (Maryland, Feb. 2011)

CMP Imposed: $4,351,000

Violations:

� Failure to provide access to records for 41 individuals

� Failure to cooperate

Timeframe:

� 2008, 2009, and 2010

How did $1,500,000 become $4,351,000?

Penalty Calculations20

� 2008 limits $100 per violation, $25,000 per year

� Violation 1 – Failure to provide access

� Each patient x each day x $100

� 2008 - $27,800

� 2009 - $926,100

� 2010 - $397,700

� Total: $1,351,000

� Violation 2 – Failure to cooperate

� $50,000 per patient per day

� For each calendar year: 2009 and 2010

� “Total exceeds calendar year limit” - $1,500,000 per year

� Total: $3,000,000

11

Mitigating Risk21

� Pilot program Summary� 20 pilot audits performed and results analyzed

Source: Sanchez, Linda, 2012 HIPAA Privacy and Security Audits, http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-

2_lsanches_ocr-audit.pdf (last accessed 1/21/13)

Mitigating Risk22

Privacy findings:

� Review process for denials of patient access to records;

� Failure to provide appropriate patient access to records;

� Lack of policies and procedures;

� Uses and disclosures of decedent information;

� Disclosures to personal representatives; and

� Business associate contracts.

12

Mitigating Risk23

Security findings:

� User activity monitoring;

� Contingency planning;

� Authentication/integrity;

� Media reuse and destruction;

� Risk assessment; and

� Granting and modifying user access.

Mitigating Risk24

OCR Audit protocol� First posted on OCR website on June 26, 2012

� Privacy Rule (78):

1. Notice of privacy practices for PHI

2. Rights to request privacy protection for PHI

3. Access of individuals to PHI

4. Administrative requirements

5. Uses and disclosures of PHI

6. Amendment of PHI

7. Accounting of disclosures.

� Security Rule (81):

1. Administrative safeguards

2. Physical safeguards

3. Technical safeguards

� Breach Notification Rule (10)

13

Mitigating Risk25

Review the OCR Audit protocol:

Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

26

� Mitigating Risk

� Develop a Risk Assessment for breach notification

� Revise your NPP

� Review plan to segregate health plan requests

� Update the BAA

� Prepare for individual access to ePHI

� Review the OCR Audit protocol

Summary

14

2727