Escolar Documentos
Profissional Documentos
Cultura Documentos
Richard E. Nell
Jesse A. Berg
The health care facet of our group focuses on contract drafting, review and negotiation, as well as entity formation and regulatory compliance. Our practice encompasses all of the laws and regulations affecting the business of health care and HIPAA including Civil Monetary Penalties, EMTALA including defense of EMTALA proceedings, NPDB, tax exempt issues, practice management, professional licensure and medical staff issues.
Jesse counsels health care providers on federal and state anti kickback laws, the Stark physician selfreferral law, Medicare and Medicaid reimbursement, enrollment and participation issues, HIPAA and state privacy and confidentiality matters, as well as federal and state antitrust issues. Jesse provides legal guidance to a variety of different types of health care providers. 1
Background on HIPAA and HITECH: Privacy and Security Regulations and the Status of HITECH Regulations
Richard E. Nell
Nell & Associates, S.C.
Jesse A. Berg
Gray Plant & Mooty
2010
Feb. 17
BA contracts required for certain entities BAs security obligations BAs privacy obligations Access to information in electronic format Request on restrictions for PHI disclosures to plans when payment is out of pocket Conditions on certain communication as part of health care operations Guidance on minimum necessary rule Proposed regulations on prohibition on sale of EHRs or PHI Criminal willful neglect regulations
Aug. 24
Sep. 23
2011
Jan. 1
Accounting for EHR disclosures (if EHR acquired after 1/1/09)
Aug. 17
Feb. 17
Effective date for final regulations on sale of EHRs or PHI Criminal willful neglect effective
Sep. 17
2014
Jan 1
Accounting for EHR disclosures (if EHR acquired as of 1/1/09) 4
Published July 14, 2010 (75 Fed. Reg. 40,868) Deadline for submitting comments was September 13, 2010 Unless otherwise indicated, compliance date is 180 days after publication of Final Rule Later date for revising BA contracts
Issue of whether amendments to BA contracts with Covered Entities is required New limitations on use and disclosure of PHI for marketing, fundraising Individual rights (access, requesting restrictions, notice of privacy practices) HHS sought guidance on minimum necessary
Increasing enforcement
Enhanced penalties Aggressive regulators
9
HITECH Act
Required Covered Entities to provide accounting of disclosures from an electronic health record to carry out treatment, payment and health care operations May 3, 2010: HHS issues request for information for HITECH AOD standard
10
11
ACCOUNTING OF DISCLOSURES
Under HITECH, CEs and BAs will need to account for TPO disclosures if they use an EHR: CEs that have EHR before 1/1/09 not bound until 2014 CEs that acquire EHR after 1/1/09 bound on 1/1/11 Applies to 3 years prior to date on which accounting requested HHS can postpone compliance dates for two years
12
Key components:
Created broad new access report right Limited current AOD right
Effective Dates
Access reports on 1/1/13 or 1/1/14 AOD requirement 240 days after final regulations published
13
Right to AOD
Scope of information subject to accounting is information in designated record set (DRS) Proposal would require the CE to include the disclosures of its BAs in the accounting. Reduces the accounting period to disclosures occurring during the previous 3 years, rather than 6 years.
14
Right to AOD
Provides a list of the types of disclosures subject to the accounting:
Public health Judicial and administrative proceedings Law enforcement Avert threat to health/safety Military and veterans activities Dept. of state Government programs providing public benefits Workers compensation Impermissible disclosures, unless constitutes a breach.
15
Right to AOD
Modifies elements of the existing content requirements:
An explanation of the type of PHI disclosed, instead of a brief description of the PHI disclosed A description of the purpose, instead of a statement of the purpose, in an effort to clarify that only a minimum description is required if it reasonably informs the individual of the purpose. Gives individuals the option to limit their accounting to either a particular time period, type of disclosure or recipient.
16
Access Report
Covered entities required to provide an individual with an access report identifying who has accessed the individuals electronic designated record set information. Access right does not extend to paper records.
17
Access Report
Two major differences from HITECH Act statutory provisions:
Provides an individual with the right to be informed of all persons who have accessed their record
Regardless of whether the information was actually disclosed to someone outside of the entitys workforce.
Creates a new right to receive an access report with respect to the designated record set maintained by all covered entities, regardless of whether those entities have implemented EHRs.
HITECH provided for accounting of disclosures from EHRs
18
Access Report
HHS: new access right would not impose an unreasonable burden on covered entities HHS: under HIPAA Security Rule, electronic systems with designated record set information should currently be creating access logs with sufficient information to create an access report
19
Access Report
Report must include the following elements:
date of the access time of the access; name of the individual, if available, or otherwise the name of the entity who accessed the information description of what information was accessed, if available description of the action by the user, if available
Electronic DRS information will often reside on a number of distinct systems with separate access logs. HHS expects covered entities to aggregate that data into a single access report.
20
Access Report
30 day timeline for providing the access report Within the 30 day period, a covered entity also would need to include the access logs of its business associates that create, receive, maintain or transmit electronic designated record set information.
21
Access Report
Covered entity would need to provide an individual with a notice of privacy practices that contains a statement of the individuals right to receive both an accounting of disclosures of PHI and an access report. Because the access report requirement is new, it would require an amendment to existing privacy notices. Other changes to NPP as HITECH regulations are finalized?
22
Right to AOD
Provision of an accounting of disclosures:
Timeframe for responding to an accounting request decreased to 30 days Must provide individuals with the accounting in the form (e.g. paper or electronic) and format (i.e., compatible with a specific software application) requested by the individual, if readily producible May require the individual to submit the accounting request in writing (which includes electronic requests)
Covered entity informs individuals of this requirement.
23
Minimum Necessary
HITECH section 13405(b): Covered entity must limit PHI, to extent practicable, to limited data set, or, if necessary, to minimum necessary. HHS to issue guidance on what constitutes minimum necessary (at which time provision sunsets). HHS asked for comment on what guidance would be helpful to covered entities and BAs No change to current regulation
25
BA must provide PHI to covered entity, individual, or individuals designee as set forth in BA agreement
27 27
MARKETING
Current rule: certain marketing-type activities are exempted from definition of marketing and are considered as part of treatment or healthcare operations Under HITECH, authorization is required for such disclosures if the CE receives direct or indirect payment in connection with the communication Effective Feb. 17, 2010
28
Audit report:
Best practices noted; instances of noncompliance Raw data (completed checklists, interview notes) Recommendations for actions to address compliance problems Recommendations to HHS for corrective action
30
33
34
Research Authorizations
Covered entity can use one authorization form for use and disclosure of PHI in clinical trial and for PHI to be placed into repository (biospecimen storage) Requested comment on amount of specificity about future research uses needed in authorization
Do authorizations have to be research specific?
35
36
Decedent Information
Decedents information is no longer PHI after 50-year period
Request for comment on proposal of 50 years
Covered entity may disclose decedents PHI to family members and others who were involved in care/payment for care of decedent prior to death, unless inconsistent with prior expressed preference
37
Overview of HIPAA Privacy Rule: Application, Patient Access Rights and Restrictions
Richard E. Nell
Nell & Associates, S.C.
Jesse A. Berg
Gray Plant & Mooty
39
40
Covered Entities
Health Plans Group Health Plans Health Care Clearinghouses Health Care Providers Who Engage in Electronic Transactions
42
Health Plans
Individual or Group Plan That Pays for the Cost of Medical Care, Includes:
Health Insurance Issuer HMO Medicare Medicaid Medicare Supplement Policy
43
Health Plans
Long Term Care Policies (Excluding Nursing Home Fixed Indemnity) Employee Welfare Benefit Plan Health Care Program for Active Military Veterans Health Program CHAMPUS Indian Health Service Program
44
Health Plans
Federal Employees Health Benefits Program SCHIP Medicare+Choice High Risk Pool Any Other Individual or Group Plan or Combination
45
Health Plans
Excluded From Health Plans:
Policy, Plan, or Program to Extent it Provides or Pays for Benefits Excepted Under the PHS Act A Government Funded Program (Other Than Those Listed) Whose Principal Purpose is Other Than Providing or Paying for Health Care or Direct Provision or Grants Workers Compensation, Automobile, Property and Casualty Insurance
46
Insured and Self-Insured Plans To Extent Plan Provides Medical Care to Employees or Participants
50 or More Participants OR Administered by Third Party
47
48
49
50
51
52
53
54
55
56
57
What is Covered
Protected Health Information
Also Known as PHI Individually Identifiable Health Information Transmitted Electronically Maintained in any Media Described Under HIPAA Transmitted or Maintained in ANY OTHER FORM
58
59
60
Personal Rights
Overview
Covered Entities Must Grant Certain Rights to Individuals Informational Forms and Means of Access and Accounting
62
63
64
65
66
67
Complaint Process
Internal and DHHS
Contact
Privacy Officer
Effective Date
68
Revise
Covered Entity Must Promptly Revise and Distribute if Material Change
69
70
71
72
73
74
ACCESS TO PHI
Effective Feb. 17, 2010 - CE which maintains an EHR is required: To produce a copy of such PHI in electronic format upon individuals request To transmit an electronic copy directly to an entity designated by the individual if request is clear and specific Fees for this may not be greater than CEs labor costs in responding to the request for the copy 75
Access to PHI
Individual Has Right of Access and Inspection No Right to Psychotherapy Notes, Information Compiled for Legal Proceeding, or Exempt Under CLIA May Deny Without Review if For Above, if For Inmate, if During Research, if Under Privacy Act, or if Obtained From Another Party Access to Designated Record Set
76
Right of Access
Must Provide Review if Refused Due to Endangerment, Due to Mention Another Person, or if Access by Personal Representative a Danger Response to Request Within 30 Days + 30 Day Extension If Reasonable, Must be in Requested Format or Summary if Acceptable; Costbased Fee
77
Denial of Access
Provide Access to Non-Objectionable PHI Written Denial, in Plain Language, of Basis and Complaint Process Notify Individual of Location if Not With Covered Entity
78
Right to Amendment
Individual May Request Amendment to PHI Covered Entity May Deny if Not Its Record, Not Available for Access, or if Accurate Covered Entity May Require That in Writing and Provide Reason 60 Day Time Limit + 30 Day Extension
79
Acceptance of Amendment
Covered Entity Must Amend/Append Record Covered Entity Must Notify Individual Covered Entity Must Notify Third Parties and Business Associates of Amendment
80
Denial of Amendment
Must Provide Individual With Written Denial Provide Individual Right to Submit Statement in Disagreement Copies Sent Out to Third Parties Covered Entity May Submit Rebuttal Statement
81
82
83
84
85
86
87
Suspension of Accounting
Temporarily Suspend Accounting if Health Oversight Agency or Law Enforcement Official Provides Statement If in Writing, for as Long as Specified If Orally, for 30 Days
88
89
RESTRICTIONS ON DISCLOSURES
Effective Feb. 17, 2010, CE must agree to requested restrictions on disclosures of PHI if: Disclosure is to health plan for purposes of carrying out payment or health care operations; and PHI pertains solely to an item/service for which provider involved was paid out of pocket in full
91
Uses and Disclosures of PHI Including Authorization, Business Associates, and Other Key Components
Richard E. Nell
Nell & Associates, S.C.
Jesse A. Berg
Gray Plant & Mooty
92
Uses or Disclosures
Use and Disclosure for Treatment, Payment, and Health Care Operations (TPO)
Covered Entity Generally May Use and Disclose PHI for TPO No Consent Now Notice of Privacy Practices Treatment
Use or Disclose to Any Provider
Payment
Use or Disclose Minimum Necessary to Any Other
93
Uses or Disclosures
Health Care Operations
Quality Assurance Activities
Quality Assessment and Guidelines, Case Mgmt.
Insurance Activities
Underwriting, Premium Rating
Compliance Activities
Fraud and Abuse Compliance
Business Activities
Legal, Auditing, Business Planning, Sale of Practice
94
Uses or Disclosures
De-Identified Information
Not PHI May Statistically Determine That PHI has Been De-Identified
Qualified Individual Offer Professional Conclusion Mathematically Not Identifiable
95
Uses or Disclosures
De-Identified Information Safe Harbor
Names Geographic Subdivisions Dates Telephone Numbers Facsimile Numbers Email Address Social Security Numbers Medical Record Numbers Health Plans Numbers
96
Uses or Disclosures
De-Identified Information Safe Harbor
Account Numbers License Numbers Vehicle Identifiers Device Identifiers URLs Internet Addresses Biometric Finger and Voice Prints Facial Photographs Etc.
97
Sale of PHI
Covered entity prohibited from disclosing PHI (without individual authorization) in exchange for remuneration If authorization obtained, authorization must state that disclosure will result in remuneration Exceptions:
Public health Research, if remuneration limited to cost to prepare and transmit PHI Treatment & payment
99
Sale of PHI
Exceptions (cont.)
Sale of business Remuneration to BA for services rendered Providing access or accounting to individual Disclosure required by law Where only remuneration received for otherwise permitted disclosure is reasonable, cost-based fee to prepare and transmit PHI or fee otherwise expressly permitted by other law
100
Authorization
Elements
Meaningful Description of PHI Identify Entities or Class Disclosing Identify Entities or Class Receiving Purpose Expiration Date or Event Individuals Rights Revocation Marketing = Remuneration Dated and Signed
101
Authorization
Typically Cannot Condition Treatment Upon Execution Allowed to Condition if for Third Party Fitness for Duty, etc. Health Plan May Condition for Underwriting or Risk Rating Provider May Condition for Research
102
Authorization
Psychotherapy Notes Require Marketing Requires Research Typically Requires Any Use or Disclosure Not Addressed by the Rule
103
Disclosure
Release, Transfer, Provision of Access to, or Divulging PHI In Any Manner Outside Covered Entity
104
105
Other Uses or Disclosures Requiring Opportunity to Object Covered Entity may Use or Disclose PHI in Limited Situations Based Upon Informal Permission Disclose to Family Members, Relatives, Individuals Identified Who Are Involved in Care or Treatment Use or Disclose for Facility Directory to Anyone Asking for by Name, Clergy
106
Opportunity to Object
Permission in Advance No Documentation Required If Emergency, May Disclose to Those Involved in Care, if Professional Judgment Exercised Covered Entity May Release X-Rays, Rxs, Supplies to Person Acting on Individuals Behalf, if Professional Judgment
107
Other Uses or Disclosures Without Opportunity to Object Covered Entity Must Verify Identity of Requester and Authority Where Required by Law Public Health Activities
Reporting Disease Reporting Vital Statistics Reporting to FDA Reporting to Employer Reporting Communicable Diseases
108
109
110
111
112
To Avert Serious Threat to Public Certain Specialized Governmental Functions: National Security, VA, Military, Secret Service Workers Compensation Act
113
Disclosures to Attorneys
Subpoenas
Notice and Opportunity to Object or Move for Qualified Protective Order (QPO) QPO Not a Good Choice
Would Appear to Require Return or Destruction No Not Feasible Language in the Order
114
Subpoenas
Proposed Procedure
Notice Letter to Patient/Patients Attorney
Allow for Reasonable Time (14 Days) to File Objection Dispute Over Notice to Attorney Only?
Upon Conclusion of Time Period Send Subpoena, Copy of Notice Letter, and Cover Letter to Covered Entity
One Package, Not Waiting on Objections
115
Subpoena - Guidance
A Copy of the Subpoena (or Other Lawful Process) is Sufficient When, On Its Face, It Meets the Requirements of 45 CFR 164.512(e)(1)(iii), Such as Demonstrating the Individual Who is the Subject of the PHI is a Party to the Litigation, Notice of the Request has Been Provided to the Individual or His or Her Attorney, and the Time for Objections has Elapsed and No Objections Were Filed or All Objections Have Been Resolved. When These Requirements are Evident on the Face of the Request, No Additional Documentation is Required. HHS FAQ #708
116
117
Minimum Necessary
Must Use or Disclose the Minimum Necessary PHI to Carry Out Task Specifically Restricted From Using Entire Medical Record May Reasonably Rely Upon Statement of Professional or Law Enforcement Internally, Restrict Access Role-Based
119
Minimum Necessary
Exceptions
Treatment Authorization To the Individual To DHHS Where Required by Law, Including HIPAA
120
Law Enforcement
Disclosure for law enforcement purpose to law enforcement official
As required by law; reporting of wounds/injuries To comply with a court order or courtordered warrant, a subpoena or summons In response to a grand jury subpoena To respond to an administrative request Only Minimum Necessary
121
If requesting official unknown, Covered Entity must identify and verify authority of official
CE may reasonably rely upon officials representation that minimum necessary requested
122
Required by Law
To report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i))
Example, state laws commonly require providers to report gunshot or stab wounds, or other violent injuries Required by law
Mandate contained in law compelling disclosure which is enforceable in a court of law
123
Process
Court order, court-ordered warrant, or a subpoena or summons issued by a judicial officer (45 CFR 164.512(f)(1)(ii)(A))
The Rule recognizes the legal process in obtaining a court order protects the PHI Judicial Officer
Preamble originally required finding Term is not defined look to state law? Appears to be different than court
124
125
Administrative Request
To respond to an administrative request, such as an administrative subpoena or summons, civil or authorized investigative demand or similar process authorized under law (45 CFR 164.512(f)(1)(ii)(C))
May be without judicial involvement Must provide that:
PHI is relevant and material, PHI is specific and limited in scope, and De-identified information not sufficient
126
127
Limited Information
Limited information to be disclosed:
Name and address Date and place of birth Social Security number ABO blood type and rh factor Type of injury Date and time of treatment Date and time of death Distinguishing physical characteristics
Height, weight, gender, race, hair and eye color, facial hair, scars, and tattoos
128
129
Victims of Crime
Disclosure of PHI in response to law enforcement officials request for information about victim or suspected victim of crime (45 CFR 164.512(f)(3)) Only if individual agrees
Agreement may be oral or written
130
Victims of Crime
Disclosure if individual agrees or Lack of agreement due to incapacity or emergency and
Law enforcement official represents PHI is needed to determine if violation of law by person other than victim and not intended to be used against victim Law enforcement official represents that immediate action depends upon disclosure and would be materially and adversely impacted if waited; and Disclosure is in the bests interests of individual in professional judgment
131
Workforce Victims
No violation if workforce member who is the victim of a criminal act discloses PHI to a law enforcement official (45 CFR 164.502(j)(2))
PHI is about the suspected perpetrator Only limited information (name, address, SSN#, date of treatment, etc.) Crime does not need to occur on premises
132
133
Business Associates
Historically not Covered Directly by HIPAA Third Parties Who Use or Disclose PHI on Behalf of a Covered Entity, Other Than as Workforce Member Workforce Member
More Than Employees Also Volunteers, Aides, Trainees, and Some Agents
134
Business Associates
Examples
Claims Processing Utilization Review Quality Assurance Billing Legal Accounting Consulting
135
Business Associates
Covered Entity Must Obtain Satisfactory Assurances From Business Associate
Business Associate Agreement If Public Entities, Memorandum of Understanding Covered in Greater Detail
136
Or
Who Provides Legal, Actuarial, Accounting, Consulting, or Similar Services Involving Use or Disclosure of PHI
138
139
140
141
142
143
144
No Business Associate Contract or Agreement Covered Entity Transmitting PHI to a Provider for Treatment Group Health Plan and Plan Sponsor, If Otherwise Comply With Rule Interagency Disclosure Among Government Health Plans
145
146
147
148
149
150
151
Damages/Liquidated Damages Clauses Indemnification Clauses Insurance Coverage Requirement Burden of Proof CE Will Oversee BA Response to Access, Amendment, Accounting, and Any Other Disclosures
152
154
Accountability
Penalties for Non-Compliance On Covered Entity If Covered Entity Knew of Pattern or Practice That Constitutes Material Breach
CE Must Take Steps to Cure Breach or End Violation If Unsuccessful, CE May Terminate Agreement If Termination Not Feasible, Then Report to DHHS Not Obligated to Monitor Must Investigate All Complaints Must Act Upon Any Knowledge of Violation
155
Conduits that only access PHI on random or infrequent basis to support transport are not BAs
156
Subcontractors
Treated as BAs if they create, receive, maintain, or transmit PHI on behalf of a BA BA must have BA agreement with subcontractor BA No BA agreement required between CE and subcontractor BA
157
Business Associates
BAs directly liable for:
Security Rule violations Impermissible uses and disclosures under Privacy Rule
Uses and disclosures must comply with Privacy Rule and business associate agreement
Covered entities (and BAs) liable for acts of BAs acting as agents within scope of agency BA must take reasonable steps in response to impermissible pattern or practice of subcontractor BA
158
HITECH statute said privacy and security requirements that apply to covered entities shall be incorporated into business associate agreement Uncertainty as to whether this required an actual amendment or provisions incorporated into BA contracts as matter of law
159
Business Associate Contracts Amendments Required? Under Proposed Rule following provisions need to be added:
BAs to use appropriate safeguards and comply with Security Rule with respect to E-PHI BAs must report to CE any breach of unsecured PHI Enter into written agreements with subcontractors that create/receive PHI on behalf of BA imposing same restrictions that apply to BA BAs must comply with Privacy Rule to extent BA is to carry out a CEs obligation under the 160 Privacy Rule
Enforcement Rule changes effective immediately when final rule goes into effect
161
Bottom Line:
CEs and BAs will have up to 1 year and 8 months after Final Rule published to revise BA agreements BAs must comply with other applicable provisions of Privacy and Security Rules during this transition period 162
Business Associates
Historically were not covered directly by HIPAA
Generally liable only for breaching their business associate agreement with a covered entity
HITECH:
Clarifies that certain entities are BAs Expands HIPAA requirements that apply to BAs
164
167
168
169
170
Business Associates
Business Associate Means a Person, Other Than a Workforce Member, Who:
Provides Legal, Actuarial, Accounting, Consulting, , Where the Provision of the Service Involves the Disclosure of Individually Identifiable Health Information
171
Violation of Business Associate Agreement If Business Associate Violates Agreement, and Covered Entity Fails to Act, Then Covered Entity is Subject to Penalties Note that Business Associate Attorney is NOT Subject to Penalties
Privacy Rule Does Not Directly Govern Business Associates
173
174
175
Waiver/Loss of Protections
BA Agreement Requirement That BA Attorney Must Make Internal Practices, Books, and Records Available
Could Result in Requiring Production of Privileged and/or Work Product Materials Issue Whether Must Produce to DHHS and Whether Waives Protections as to Others
176
Overview of HIPAA Security Rule: Obligations of Covered Entities and Business Associates
Richard E. Nell
Nell & Associates, S.C.
Jesse A. Berg
Gray Plant & Mooty
177
178
Security Rule
Security Rule Administrative Safeguards
Security Management Process
Implement Policies and Procedures to Prevent, Detect, Contain, and Correct Security Violations Implementation Analysis
Risk Analysis (Required)
Conduct an Accurate and Thorough Assessment of the Potential Risks and Vulnerabilities to the Confidentiality, Integrity, and Availability of Electronic Protected Health Information
Security Rule
Security Rule Administrative Safeguards
Implementation Analysis (Continued)
Sanction Policy (Required)
Appropriate Sanctions Against Workforce Members Who Fail to Comply With the Security Policies and Procedures
180
Security Rule
Security Rule Administrative Safeguards
Assigned Security Responsibility
Identify the Security Official
Workforce Security
Implement Policies and Procedures to Ensure That All Members of Its Workforce Have Appropriate Access to Electronic Protected Health Information Prevent Those Workforce Members Who Do Not Have Access From Obtaining Access
181
Security Rule
Security Rule Administrative Safeguards
Workforce Security (Continued)
Implementation Analysis
Authorization and/or Supervision (Addressable)
Procedures for the Authorization And/or Supervision of Workforce Members Who Work With Electronic Protected Health Information
182
Security Rule
Security Rule Administrative Safeguards
Workforce Security Implementation Analysis (Continued)
Termination Procedures (Addressable)
Procedures for Terminating Access to Electronic PHI When Employment Ends
183
Security Rule
Security Rule Administrative Safeguards
Information Access Management Implementation Analysis
Isolating Clearinghouse Functions (Required) Access Authorization (Addressable)
Implement Policies and Procedures for Granting Access to Electronic Protected Health Information
Security Rule
Security Rule Administrative Safeguards
Security Awareness and Training
Implementation Analysis
Security Reminders (Addressable)
Periodic Security Updates
185
Security Rule
Security Rule Administrative Safeguards
Security Incident Procedures
Implementation Analysis
Response and Reporting (Required)
Identify and Respond to Suspected or Known Security Incidents; Mitigate Harmful Effects of Security Incidents and Document Security Incidents and Their Outcomes
186
Security Rule
Security Rule Administrative Safeguards
Contingency Plan
Implementation Analysis
Data Backup Plan (Required)
Procedures to Create and Maintain Retrievable Exact Copies of Electronic Protected Health Information
187
Security Rule
Security Rule Administrative Safeguards
Contingency Plan Implementation Analysis (Continued)
Testing and Revision Procedures (Addressable) Applications and Data Criticality Analysis (Addressable)
Evaluation
Implementation Analysis
Periodic Technical and Nontechnical Evaluation, Based Initially Upon the Standards Implemented Under This Rule and Subsequently, in Response to Environmental or Operational Changes Affecting the Security of Electronic Protected Health Information
188
Security Rule
Security Rule Physical Safeguards
Facility Access Controls
Implementation Analysis
Contingency Operations (Addressable)
Procedures That Allow Facility Access in Support of Restoration of Lost Data
189
Security Rule
Security Rule Physical Safeguards
Facility Access Controls Implementation Analysis (Continued)
Maintenance Records (Addressable)
Procedures to Document Repairs and Modifications to the Physical Components of a Facility
Workstation Use
Procedures That Specify the Proper Functions to Be Performed, the Manner in Which Those Functions Are to Be Performed, and the Physical Attributes of the Surroundings of a Specific Workstation or Class of Workstation
Workstation Security
Physical Safeguards for All Workstations
190
Security Rule
Security Rule Physical Safeguards
Device and Media Controls
Implementation Analysis
Disposal (Required) Media Reuse (Required) Accountability (Addressable) Data Backup and Storage (Addressable)
191
Security Rule
Security Rule Technical Safeguards
Access Control
Implementation Analysis
Unique User Identification (Required)
Unique Name And/or Number for Identifying and Tracking User Identity
192
Security Rule
Security Rule Technical Safeguards
Audit Controls
Hardware, Software, And/or Procedural Mechanisms That Record and Examine Activity in Information Systems
Integrity
Procedures to Protect Electronic Protected Health Information From Improper Alteration or Destruction Mechanism to Authenticate Electronic PHI (Addressable)
193
Security Rule
Security Rule Technical Safeguards
Person or Entity Authentication
Procedures to Verify That a Person or Entity Seeking Access to Electronic Protected Health Information Is the One Claimed
Transmission Security
Integrity Controls (Addressable)
Security Measures to Ensure That Electronically Transmitted Electronic Protected Health Information Is Not Improperly Modified Without Detection
Encryption (Addressable)
194
Security Rule
Security Rule Organizational Requirements
Business Associate Contracts
Very Similar to the Requirements Imposed for Business Associates Under the Privacy Rule
Security Rule
Security Rule Policies and Procedures and Documentation Requirements
Policies and Procedures
Implementation Analysis
Reasonable and Appropriate Policies and Procedures to Comply With the Standards, Implementation Specifications, or Other Requirements
196
Security Rule
Security Rule Policies and Procedures Documentation
Implementation Analysis
Time Limit (Required)
6 Years
197
Security Rule
198
Richard E. Nell
Nell & Associates, S.C.
Jesse A. Berg
Gray Plant & Mooty
199
Breach Notification
Previous Rule:
Covered Entities (CEs) must mitigate, to the extent practicable, any harmful effect that is known to the CE of an unauthorized use or disclosure of PHI by the CE or its Business Associate (BA)
HITECH established breach notification requirement for CEs and BAs Interim Final Regulations published on Aug. 24, 2009 (74 FR 42740)
Regulations will be at 45 CFR Subpart D
Breach Notification
The Basics:
Covered Entities must provide notification to individuals in event of breach of the security or privacy of unsecured PHI Notice must also be provided to HHS BAs must provide notice to CEs
201
Breach Notification
Interim Final Rule (Aug. 2009)
Effective Sept. 23, 2009 Final Rule submitted to OMB in May, 2010 but withdrawn for further consideration
Key elements:
Notification if breach of unsecured PHI and significant risk of harm Unsecured = unusable, unreadable or indecipherable Notice w/in 60 days of discovery or date should have known. Content requirements for notice Notice to media and HHS if more than 500 people; annual reporting to HHS if less than 500 people Direct application to Covered Entities and BAs
202
203
204
Step 1Breach
The acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E (the HIPAA privacy rule) which compromises the security or privacy of the PHI
Information must be PHI For disclosure, acquisition, etc., to be a breach it must violate the Privacy Rule
205
CEs and BAs must perform risk assessment to determine whether this threshold is met Documentation of risk assessment is key for CE, BA if they decide harm threshold has not been met
206
208
209
210
Notification
Breach discovered on the first day it is known, or by exercising reasonable diligence, would have been known Notice can be imputed to CE or BA from a variety of its representatives, including employees (other than the employee causing the breach) and from agents
211
Timing of Notification
All notifications must be made without unreasonable delay
No later than 60 calendar days after discovery Burden on notifying entity to demonstrate that
All required notifications were made Explain any delays
60 day period not tolled by time spent in analysis or investigation Limited delay if requested by law enforcement
212
Methods of Notice
Notice must be
In writing By first class mail Sent to the last known address of individual (if individual specified preference for email notification, that should be done) One or more mailings (as more information becomes available) If more than 500 residents of a state or jurisdiction are affected:
Notices described above; and Notification to prominent media outlets in state or jurisdiction
213
Methods of Notice
Special circumstances notices:
If insufficient or out-of-date information and Fewer than 10 affected people:
By an alternative form of written notice, telephone or other means
Notice to HHS:
If more than 500 individuals affected, notice must be contemporaneous with notice to individuals Can keep log of breaches affecting fewer people and provide annually to HHS HHS to publicize breached entities on its web site
214
Content of Notice
All notices, to the extent possible, must include:
Description of what happened, including date of breach and date breach was discovered Description of the types of unsecured PHI involved in the breach Steps individuals should take to protect themselves from potential harm resulting from breach Description of what CE is doing to investigate breach, mitigate harm to the individual and protect against further breaches Contact procedures for individuals to ask questions or learn additional information, including toll-free number, email, web site or postal address
215
Wisconsin Law
Richard E. Nell
Nell & Associates, S.C.
Jesse A. Berg
Gray Plant & Mooty
216
217
DCF:
53.06: Release of adoption information 54.06: Child Placing Agencies- Records 56.09: Care of Foster Children
219
Administrative requirements imposed by HIPAA generally have no Wis. Law counterpart Most issues are created by the interaction of HIPAA and Wis. Law HIPAA and Wis. Law both impose restrictions on the disclosure of confidential medical information Practical approach is to look first to HIPAA for baseline guidance and then to Wis. Law for more stringent legal requirements Examples
222
223
Pupil Records
Federal Law (FERPA) Wis. Stats. 118.125
Adds to the FERPA definition Defines Patient records within a school Pupil physical record Disclosure is subject to Wis. Stats 118.125(2)
224
Summary
Check application of HIPAA first Check application of various Wisconsin Statutes and Regulations Choose most favorable provision for the patient When in doubt either:
Seek informed consent; or Call your attorney
227
Enforcement
Richard E. Nell
Nell & Associates, S.C.
Jesse A. Berg
Gray Plant & Mooty
228
229
230
Enforcement Rule
OCR will investigate and conduct compliance review when preliminary investigation indicates willful neglect OCR may proceed directly to formal enforcement without seeking informal resolution Definition of reasonable cause
Necessary for culpability tiers used under HITECH to impose penalties
Preamble includes examples of conduct triggering various tiers of culpability (and associated penalties)
231
Enforcement Rule
Rule would eliminate exception from liability of CEs for civil monetary penalties for violations resulting from acts of agents if:
Agent is BA Compliant BA agreement in place CE did not (1) know of pattern of activity or practice of BA; and (2) did not fail to act as required by Privacy Rule/Security Rule with regard to such violations
CEs directly liable for acts of BAs who are agents within meaning of federal common law BAs similarly liable for acts of their agents (including subcontractors and workforce members)
232
233
Enforcement Authority
Secretary of HHS Delegated to the Administrator, CMS Authority to Investigate Noncompliance and Enforcement of Certain Regulations:
Transaction and Code Set Rule National Employer Identifier Number (EIN) Rule Security Rule National Provider Identifier Rule National Plan Identifier Rule
Delegation Does Not Include Authority with Respect to the Privacy Rule
Delegated to the Office for Civil Rights
234
Criminal Enforcement
Previous rule: up to $250,000 in fines and 10 years in prison for disclosing or obtaining PHI with intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. Only a CEnot an employee or agent of CEmay be held criminally liable Under HITECH, penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by CE, regardless of whether such person is employed by CE
235
Civil Enforcement
Previous Rule: HHS may impose CMPs for failure to comply with the Privacy and Security Rules, with a maximum civil fine of $100 per violation and up to $25,000 for all violations of an identical type during a calendar year CMPs may not be imposed if:
The violation is a criminal offense under HIPAAs criminal penalty provisions The person did not have actual or constructive knowledge of the violation The failure to comply with due to reasonable cause and not to willful neglect and the failure to comply was corrected within 30 days of discovery
236
Amount of CMP
$100 for each identical violation up to $25,000 for all identical violations, but no more than $1.5 million for all violations of this type within calendar year $1,000 per violation up to $100,000 for all identical violations, with a cap of $1.5 million for all violations of this type within calendar year $10,000 per violation up to $250,000 for all identical violations, with a cap of $1.5 million for all violations of this type within calendar year $50,000 per violation, with an annual cap of $1.5 million for all violations due to willful neglect that are not corrected within 30 days
Violation due to willful neglect and was not corrected within 30 days
237
Federal Enforcement
HHS required to investigate complaints if preliminary investigation indicates violation due to willful neglect
If HHS finds violation due to willful neglect, penalties are mandatory
Distribution of CMPs:
Proceeds from CMPs to go to OCR for purposes of further Privacy and Security Rule enforcement activities Portion will be paid directly to harmed individuals
Similar to qui tam provisions in False Claims Act HHS must issue regulations within 3 years to implement this requirement
HHS to conduct audits of CEs and BAs to ensure compliance with Privacy, Security Rules
238
AGO required to give HHS notice of suit HHS can intervene and take over action HHS can also file appeals
239
240
Privacy Complaints
Approximately 19,420 Privacy Complaints Filed With OCR Most Common Allegations Have Been:
Personal Medical Details Wrongly Disclosed Information Was Poorly Protected More Details Were Disclosed Than Necessary Proper Authorization Was Not Obtained Patients Frustrated in Attempting to Get Their Own Records
Security Complaints
CMS Has Received Approximately 106 Security Complaints (as of last year)
Also Inappropriately Received 28 PrivacyRelated Complaints To be Directed to OCR
CMS Has Received Approximately 450 Transaction & Code Set Complaints
129 Remain Open Majority Involve Private Sector Organizations
2009
Safeguards
Access
Minimum Necessary
2008
Safeguards
Access
Minimum Necessary
2007
Safeguards
Access
Minimum Necessary
Notice
2006
Safeguards
Access
Minimum Necessary
Notice
2005
Safeguards
Access
Minimum Necessary
Mitigation
2004
Safeguards
Access
Minimum Necessary
Authorizations
Safeguards
Access
Notice
244
Health Net lost hard drive with over 500,000 patients PHI Health Net delayed notifying individuals for 6 months
246
32,051 insurance applicants information were accessible to the public through unsecured website Information accessible between Oct. 23, 2009-Mar. 8, 2010.
Consumer notified Well Point on Feb. 22, 2010 Individuals not notified by Well Point until Jun. 18, 2010
247
Enforcement
Blue Cross Blue Shield of Tennessee (BCBST)
OCR expects a carefully designed, delivered and monitored HIPAA compliance program Agreed to pay US Department of Health and Human Services $1.5 million to settle potential HIPAA violations Agreed to a corrective action plan to address gaps in its HIPAA compliance program
248
AG suit alleges Accretive violated HIPAA, state health records law, debt collection and consumer fraud statutes First action against business associate? Status of HIPAA as to BAs?
249
MN
6/9/2010
UnitedHealth Group--SACE
MN
735
On March 2, 2010, the covered entity, United, discovered that remittance forms containing member information that accompany paper checks were stolen. The invoices contained the protected health information of over 735 individuals. The protected health information involved member information that allowed providers to properly record claim payments and credit accounts on behalf of each member for whom United was making a payment. Following the breach, the covered entity notified its clients of the incident, placed notice in The Miami Herald, provided each member with a credit monitoring package, reviewed its payment and remittance information controls, and notified its provider call centers to remain on a high level alert to 8/4/2010 monitor all remittance payments.
250
Mayo Clinic
MN
Following the breach, the covered entity: conducted an investigation; terminated the employee who had inappropriately accessed the PHI; re-educated its employees regarding patient privacy and access to PHI; enhanced its supervision of employees and monitoring of their access activity; notified individuals reasonably believed to have been affected and provided them with an information hotline and identity theft services at no cost, if so requested; placed a notice of the breach on its website and in the local newspaper; and submitted a breach report to OCR along with documentation of its voluntary 9/20/2010 compliance actions
UnitedHealth Group--SACE
MN
CareCore National
1270
10/7/2010
251
Mankato Clinic
MN
Laptop
North Memorial MN
Laptop
Laptop
Paper
MN
MN
252
UCLA paid $865,000 and agreed to corrective action plan and independent monitor of HIPAA compliance for 3 years
165 employees disciplined, 2 former employees face criminal charges
253
HHS alleged violations of Privacy Rule Mass. Gen agreed to pay $1 million and implement CAP
P & Ps subject to HHS approval Independent monitoring of HIPAA compliance Submit compliance reports to HHS for 3 years
254
Richard E. Nell
Nell & Associates, S.C.
Jesse A. Berg
Gray Plant & Mooty
255
257
Attestation period for Stage 1 compliance began April 18, 2011 Meaningful use payments began in May, 2011
CMS: Within first month, more than 300 hospitals and physicians qualified for incentives and received payments under Medicare program CMS: by end of May, more than $83 million dispersed under Medicaid program (7 states)
258
259
260
In January 2011, the Health IT Policy Committee (HHS advisory committee) released for public comment preliminary recommendations for Stage 2 and 3 Meaningful Use
In general, Stage 2 requires more thorough implementation of EHRs into daily practice and increased HIE
261
Current requirement to perform test of HIE changed to connect to at least three external providers
8 new measures
List of care team members (including PCP) for 10% of patients in EHR
Hospitals only 30% of medication orders automatically tracked via electronic administration recording
Vendors
Need adequate lead time to be able to add new functionalities to EHR products
263
Jesse.berg@gpmlaw.com www.gpm.law.com
264