HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Overview: The Privacy and Security Rules HIPAA Privacy Regulations effective April 14, 2003(4) (“Privacy Rule”) HIPAA Security Regulations effective April 20, 2005(6) (“Security Rule”) Rules apply to Health Plans, Health Care providers and Health Care Clearinghouses – HIPAA “Covered Entities” Self-funded health plans (including HRAs, health flexible spending plans) required to fully comply with Privacy and Security Rules; fully-insured plans (group medical, dental vision policies) have limited compliance obligations because of limited PHI access.
HIPAA’s Privacy and Security Rules Apply to “PHI” Under the Privacy Rule, any unauthorized uses and disclosures of participants’ “PHI” by the Plan are prohibited PHI Defined: information about past, present, or future physical or mental health condition, or payment for medical treatment, if the information identifies or could be used to identify the participant. Includes electronic information (“ePHI”) as well as any other form. Does not include employment/FMLA records, disability insurance records, ADA information, drug screen results, or fitness for duty tests maintained by an employer outside of its role as Plan sponsor.
Certain Uses and Disclosures of PHI Permitted Uses and Disclosures between Covered Entities Uses and Disclosures for Treatment, Payment, and Health Care Operations (“TPO”) Uses and Disclosures to a Business Associate (organization providing administrative, consulting or other services to the Plan) if BA agreement in place Uses and Disclosures pursuant to a valid HIPAA authorization
Individual Rights Created; Compliance Steps Required Individual rights include right to notice of privacy practices, right to request restrictions on PHI uses and disclosures, right to confidential communications, right to access and amend PHI, and right to accounting of disclosures. Plan required to appoint Privacy Officer and Security Officer Plan amendments required so Plan sponsor could access PHI Standards related to scope of permitted disclosures (“minimum necessary standard”), marketing, sale and other uses of PHI implemented
Privacy and Security Policies and Procedures Plan must adopt privacy and security policies and procedures to address its compliance with all aspects of HIPAA Privacy Rule and Security Rule, including: How and to whom PHI will be used and disclosed, including a policy for identifying and entering into Business Associate agreements; Which Plan employees will be authorized to access PHI; How workforce training will be addressed; How participant rights will be protected;
Privacy and Security Policies and Procedures How internal safeguards will be established (e.g. access controls, firewalls, encryption, password protection); What policy and process will apply for complaints and sanctions related to HIPAA violations; How administrative, technical and physical safeguards required by Security Rule will be addressed and implemented.
Other Key HIPAA Concepts Prior to HITECH Act Business Associates (BAs) of Plans only obligated to comply with HIPAA as required in Business Associate agreements. Informal Compliance Assistance provided by CMS and OCR; enforcement was not aggressive and health plan HIPAA audits were uncommon. No Private Right of Action.
HIPAA Changes in ARRA HIPAA Privacy and Security Rules unchanged until the American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) amended HIPAA relating to electronic health records, breach notification, increased penalties and enforcement Generally effective beginning February 17, 2010
Key Change #1: Applicability of HIPAA Privacy & Security Rules to Business Associates Business Associates (BAs) are now required to directly comply with the HIPAA Privacy and Security Rules similar to Covered Entities. BAs directly subject to HIPAA’s civil and criminal penalties for HIPAA Privacy and Security Rule violations. BAs previously bound only by terms of business associate agreements; breach of contract action by Plan only avenue to address violations.
Key Change #2: The Breach Notification Regulations Prior to HITECH, no legal requirement to affirmatively notify participants of incident involving the unauthorized use or disclosure of PHI; only required to inform participants if they asked. New regulations make breach notification requirements effective as of September 23, 2009, and subject to sanctions for violations any time on or after February 22, 2010.
A Breach Involving PHI A “Breach” occurs if: An unauthorized access, use or disclosure of PHI occurs, and The access, use or disclosure compromises the security or privacy of the PHI. Security or privacy is compromised if the use or disclosure “poses a significant risk of financial, reputational or other harm to the individual.” If an unauthorized use or disclosure is discovered, the Plan must perform a risk assessment to determine if the use or disclosure poses a significant risk of harm, thereby requiring notification.
Exemptions from Breach Notification Requirements “Secured” PHI Encrypted (if electronic PHI) Destroyed (if paper PHI) A “Limited Data Set” with zip codes and birth dates removed Certain disclosures between HIPAA covered entities and workforce members who have a duty to protect the information
Required Action Steps in the Event of a Breach Discovery of the Breach Breach is considered discovered as of the 1 st day of the breach being known by the Plan (or its agent), or when, by exercising reasonable diligence, it would have been discovered. Knowledge of a breach by a workforce member or agent (BA) is attributed to the Plan Time period begins to run upon knowledge of event occurring, even before risk assessment completed to determine if harm could result from incident.
Notification of Breach to Individuals Once privacy or security incident is discovered, Plan must complete a risk assessment to determine if harm to individuals could result from incident. Factors to consider – who, what, why, when, how? Subjective analysis. If harm possible, notification by Plan directly to individuals affected by breach is required no later than 60 calendar days after discovery of the breach.
Notification to Media Outlets and Secretary of HHS If Plan does not have contact information for 10 or more affected individuals, then Plan must post a conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. If more than 500 residents of a state, Plan must notify prominent media outlets of the breach. (This is in addition to the individual notices mentioned above). If more than 500 individuals’ PHI involved, then the Plan must immediately notify the Secretary of HHS of the breach; if less than 500 individuals’ PHI involved, Plan still must notify HHS, but may wait until 60 days after the end of the calendar year.
Key Change #3: Heightened Civil Enforcement Under HITECH, civil penalties for HIPAA violations have increased, and HHS is required to investigate complaints of privacy and security breaches. HHS has announced HIPAA audit initiative Penalty Regulations effective on November 30, 2009, and apply to violations after February 17, 2010
New Penalty Structure under Interim Final Regulations Plan Unaware of Violation: minimum civil penalty is $100 per violation Violation Due to Reasonable Cause: minimum is $1,000 per violation Violation Due to Willful Neglect; Corrected Within 30 Days: minimum is $10,000 per violation Violation Due to Willful Neglect; Not Corrected: minimum is $50,000 per violation Each level of penalty carries with it a maximum of $50,000 per violation, and an overall limit of $1,500,000 for identical violations in a calendar year.
Criminal Liability Also Possible Plan employees (as well as business associates) who obtain or disclose PHI without authorization may also be criminally liable. Criminal liability generally extends to intentional harmful conduct for profit or personal gain.
Key Change #4: Additional Legal Remedies for Breaches In addition to criminal and civil penalties, the new law creates additional remedies: State Attorney General may bring action for injunctive relief or damages on behalf of state residents adversely affected by HIPAA violation Connecticut AG recently announced legal action for injunction/civil penalties against Health Net based on missing computer disk drive, and failure to take prompt action to mitigate/notify Individuals may be awarded a percentage of civil monetary penalties collected for violations
Key Change #5: Increased Restrictions and Individual Rights “Minimum Necessary” disclosures restricted to “Limited Data Set unless impracticable; regulations expected “Health Care Operations” definition will be modified to further restrict disclosures for TPO; regulations expected Increased restrictions on marketing and sale of PHI Changes made to individual rights – Additional restrictions on provider disclosures to health plans (cash payments) Changes related to Electronic Health Records (“EHRs”) If EHRs used, Plan must account for all uses and disclosures Requires Plans to provide PHI electronically if EHRs used
Task List: Steps for HIPAA/HITECH Compliance Revisit plan documents to ensure HIPAA required amendments are in place, and reissue Privacy Notice if necessary (required every 3 years). Revise HIPAA policies to incorporate HITECH provisions, risk assessment and breach notification requirements, OR implement up-to-date HIPAA policies for all group health plans if not previously adopted. Revisit Security Rule requirements to ensure administrative, technical, and physical safeguards in place, OR implement Security Rule requirements for ePHI if not previously completed.
Task List: Steps for HIPAA/HITECH Compliance Encrypt or password protect ePHI wherever practicable; review company policies for laptop computers and PDAs. Identify and conduct training of workforce members handling PHI, provide additional training for new HITECH Act provisions. Review workforce sanction policy (or implement if needed). Ensure that Business Associate agreements are in place with all service providers handling PHI for the Plan, and that those agreements are updated for HITECH.
QUESTIONS??? CONTACT INFORMATION Katy Stowers (317) (317) Kristen Gentry (317)