HIPAA Update: The Omnibus Rule Kathleen Stillwell, MPA/HSA,RN,CPHRM Patient Safety Risk Management Account Executive Matthew L. Kinley, Esq., Partner - Tredway Lumsdaine & Doyle LLP

Disclosure We would like to disclose that Patient Safety/Risk Management Specialists, as employees of The Doctors Company, have a financial interest in The Doctors Company, an organization that may have a direct interest in the subject matter of this CME presentation. Also, participating attorneys are often retained by The Doctors Company for defense of malpractice claims. HIPAA Update: The Omnibus Rule/ 2

Objectives Describe new limits on uses/disclosures of PHI Recognize Business Associates/subcontractors Explain increased patient rights Outline action steps for compliance with the 2013 Omnibus Rule HIPAA Update: The Omnibus Rule/ 3

I never had a policy; I have just tried to do my very best each and every day. Abraham Lincoln HIPAA Update: The Omnibus Rule/ 4

HIPAA Violations on the Rise… In the last three years, over 70,000 HIPAA violation complaints filed Majority of breaches: theft, loss, or unauthorized access or disclosure (i.e. by employees) Greatest vulnerability in mobile devices: phones, tablets, laptops, desktops HIPAA Update: The Omnibus Rule/ 2 HIPAA in a HITECH World: HIPAA Violations on the Rise Smart Data Collective, March 25, 2013 HIPAA Update: The Omnibus Rule/ 5

HIPAA Violations on the Rise… (continued) Vulnerabilities tend to be low-tech vulnerabilities, not high-tech vulnerabilities One-fourth of reported breaches from paper records Paper records are as vulnerable, or more, than electronic records HIPAA Update: The Omnibus Rule/ 6 HIPAA in a HITECH World: HIPAA Violations on the Rise Smart Data Collective, March 25, 2013

HIPAA Fines… Alaska DHHS fined $1.7 million  USB device stolen from employee vehicle Cignet Health fined $4.3 million  Failure to provide medical records to 41 patients UCLA fined $865,500  Snooping employees CVS fined $2.25 million  Disposal of PHI in trashcans Blue Cross of Tennessee fined $1.5 million  Unencrypted laptops stolen HIPAA Update: The Omnibus Rule/ 7

The Final Omnibus HIPAA Rule Effective March 26, 2013 Enforcement begins September 23, 2013 Modifies privacy, security, and enforcement rule of HIPAA Modifies Breach Notification Rule of Health Information Technology for Economic and Clinical Health Act (HITECH) HIPAA Update: The Omnibus Rule/ 8

What Will It Cost? …total cost of compliance with the rule’s provisions is estimated to be between $114 million and $225.4 million in the first year of implementation and approximately $14.5 million annually thereafter… HIPAA Update: The Omnibus Rule/ 9

Who Do the Changes Affect? HIPAA Covered Entities:  Healthcare providers, health systems, health plans, clearinghouses HIPAA Business Associates and subcontractors:  Vendors who contract with Covered Entities and access protected health information (PHI) Examples:  Technology vendors, service organizations, accountable care organizations, third party administrators HIPAA Update: The Omnibus Rule/ 10

Key Changes… Business Associate (BA) definition expanded Liability and obligations of BA expanded Marketing, fundraising, sale of PHI Change in Notice of Privacy Practices Patient right to restrict disclosure to health plan if visit is paid in cash and patient requests a restriction Enhanced rights for individuals to receive electronic copies of PHI HIPAA Update: The Omnibus Rule/ 11

Key Changes …(continued) Health plans prohibited from disclosing genetic information for underwriting purposes Modify individual authorization and requirements to facilitate research and disclosure of child immunization proof to schools Enable access to decedent information by family members or others  Increased penalties for noncompliance HIPAA Update: The Omnibus Rule/ 12

Key Changes …(continued) Changes to enforcement rules  HHS may impose civil monetary penalties up to $1.5 million for all violations of an identical HIPAA requirement in a calendar year  Omnibus Rule eliminates an exception under previous rule that shielded Covered Entities from civil penalties stemming from conduct of their BA HIPAA Update: The Omnibus Rule/ 13

Privacy Notice HIPAA Update: The Omnibus Rule/ 14

Privacy Notice Changes… Inclusion of use/disclosure of PHI for marketing, selling PHI, disclosure of psychotherapy notes Inclusion of use/disclosure of PHI for fundraising, and note patients’ right to opt out of such use and disclosure Covered Entity health plans intending to use PHI for underwriting purposes, must give notice and advise individuals that Covered Entity is prohibited from using genetic information for underwriting purposes HIPAA Update: The Omnibus Rule/ 15

Privacy Notice Changes… (continued) Covered Entity has legal obligation to notify individuals if their PHI is affected by security breach Inclusion of description of individual’s right to request restrictions of disclosures to health plans for payment or healthcare operations regarding services for which individual has paid in full out of pocket HIPAA Update: The Omnibus Rule/ 16

Privacy Notice Changes… (continued) Place updated Notice of Privacy Practice on Covered Entity Web site if applicable Elimination of requirement to include appointment reminders, treatment alternatives, health related benefits or services, but it is not required to be removed HIPAA Update: The Omnibus Rule/ 17

Notification of Material Change to Privacy Notice... HHS modified the method by which health plans are to notify participants of material changes to their notices of privacy practices Health plans that post their notices on their Web sites may prominently post changes or their revised notices In their next annual mailings, health plans must provide revised notices, or information about material changes and how to obtain revised notices HIPAA Update: The Omnibus Rule/ 18

Notification of Material Change to Privacy Notice... (continued) Health plans that do not post their notices on their Web sites must provide revised notices, or information about the material changes and how to obtain the revised notices, to participants within 60 days of the revisions Health plans are still required to remind participants of availability of privacy notices at least once every three years HIPAA Update: The Omnibus Rule/ 19

Business Associates HIPAA Update: The Omnibus Rule/ 20

Business Associate: Definition Expanded Any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate Any person who offers a personal health record to individuals on behalf of a Covered Entity Can be a subcontractor even if indirect relationship with Covered Entity  Health information organizations  e-prescribing gateways  Any person who provides data transmission services HIPAA Update: The Omnibus Rule/ 21

Liability and Obligations of Business Associate… Business Associates and subcontractors with access to PHI–liable for compliance with HIPAA Privacy and Security Rules Business Associates and subcontractors may be assessed civil monetary penalties and criminal penalties for violations Business Associates and direct subcontractors must enter Business Associate Agreements all the way “down the chain” of the information flow HIPAA Update: The Omnibus Rule/ 22

Liability and Obligations of Business Associate…. (continued) Business Associate Agreements must be updated to include specific new provisions Existing agreements, entered before January 25, 2013, may operate until agreement is amended/renewed, or until September 22, 2014, whichever is earlier Covered Entities and Business Associates will need to modify agreements and allocate risk through use of insurance requirements and indemnity provisions HIPAA Update: The Omnibus Rule/ 23

Revised Breach Notification Rule HIPAA Update: The Omnibus Rule/ 24

Under previous rule, breaches were not required to be reported unless they posed a “significant risk of reputational, financial, or other harm” to individuals. HIPAA Update: The Omnibus Rule/ 25

Revised Breach Notification Rule… Presumption of reportable breach “Compromised” information Omnibus Rule eliminates the “significant risk of harm” standard as the threshold for breach notification HIPAA Update: The Omnibus Rule/ 26

Revised Breach Notification Rule… (continued) New standard presumes reportable breach occurred unless Covered Entity or Business Associate determines a low probability PHI was compromised by unauthorized use or disclosure Covered Entities and Business Associates must revise breach notice policies and procedures to reflect new breach analysis standard HIPAA Update: The Omnibus Rule/ 27

Marketing, Fundraising, Sale of Protected Health Information HIPAA Update: The Omnibus Rule/ 28

Marketing… Omnibus Rule imposes stricter limitations on marketing communications made in exchange for financial remuneration Written communications promoting purchase or use of third party products or services, require prior individual authorization if Covered Entity receives financial remuneration in exchange for sending the communication HIPAA Update: The Omnibus Rule/ 29

Marketing… (continued) Limited exceptions permit:  Face-to-face marketing communications  Certain promotional gifts  Refill reminders if remuneration reasonably related to cost of communication HIPAA Update: The Omnibus Rule/ 30

Fundraising… Omnibus Rule provides limited set of circumstances for Covered Entity to use and disclose certain PHI for fundraising without an authorization Covered Entities must provide an individual with clear and conspicuous opportunity to opt-out of receiving future fundraising communications HIPAA Update: The Omnibus Rule/ 31

Sale of Protected Health Information… Omnibus Rule prohibits sale of PHI unless individual has given authorization Authorization must acknowledge Covered Entity will receive remuneration in exchange for PHI HIPAA Update: The Omnibus Rule/ 32

Increased Patient Rights HIPAA Update: The Omnibus Rule/ 33

Increased Patient Rights Patient access Who can receive? Can patient restrict access? Notice of privacy practice for patients HIPAA Update: The Omnibus Rule/ 34

Increased Enforcement HIPAA Update: The Omnibus Rule/ 35

Increased penalties “Willful Neglect” Procedure for enforcement Covered Entities and Business Associates Agency liability HIPAA Update: The Omnibus Rule/ 36 Increased Enforcement

Action Items HIPAA Update: The Omnibus Rule/ 37

Action Items Revise policies and procedures Revise policy and security policies Revise privacy notice Revise breach notification requirements Revise Business Associates contracts/agreements Encryption Staff training HIPAA Update: The Omnibus Rule/ 38

OCR Complaint for HIPAA Violation Describe briefly what happened. How and why do you believe your (or someone else’s) health information privacy rights were violated, or the privacy rule otherwise was violated? Please be as specific as possible Attach additional pages as needed HIPAA Update: The Omnibus Rule/ 39

Next Steps HIPAA Update: The Omnibus Rule/ 40

Revise Business Associate Agreements Evaluate existing contractor arrangements to determine whether modifications or new agreement provisions are necessary, including to existing Business Associate Agreements Revise HIPAA Policies and Procedures, including modifications to address response to potential breaches involving unsecured PHI HIPAA Update: The Omnibus Rule/ 41 What Actions Are Required?

What Actions Are Required? (continued) Update and redistribute Notices of Privacy Practices by September 23, 2013 Analyze current arrangements for compliance with restrictions on sale of PHI, marketing, and fundraising restrictions Train employees on updated obligations HIPAA Update: The Omnibus Rule/ 42

The key to wisdom is knowing all the right questions. John Simone, Sr. HIPAA Update: The Omnibus Rule/ 43

Mission … HIPAA Update: The Omnibus Rule/ 44 Our Mission Is to Advance, Protect, and Reward the Practice of Good Medicine For additional Patient Safety information, please visit our Web site at: