July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404) Gwinnett Managed Care, Inc. Final HIPAA Privacy and Security Rules 1
Overview Background for HIPAA Changes Review New HIPAA Breach Notification Rules Summary of key provisions of the Final Rule 2
HITECH Revisions Breach Notification Description of Breach Notification Requirements – Pre-HITECH Breach Notification – Interim Final Rule Provisions – August 24, 2009 Guidelines for Risk Analysis HITECH Revisions to Enforcement and Penalties FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules Breach….or No Breach Final Rule issued January 25, 2013; to be effective March 26,
HITECH Revisions Breach Notification Scope of Notification Requirements Applies to Privacy Rule breaches involving both electronic and paper records “Breach” means the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information (at 45 C.F.R. § ) Under the Final Rule any use or disclosure of unsecured PHI not permitted under the HIPAA Privacy Rule is presumed to be a breach requiring patient notification unless the Covered Entity or Business Associate demonstrates that there is “a low probability that the protected health information has been compromised." 4
HITECH Revisions Breach Notification Exceptions to “Breach” Definition Unintentional access to PHI by workforce member or other individual acting under the authority of a CE or BA if: Good faith access and within the scope of authority of CE/BA; and Information not further acquired, accessed, used or disclosed by such person in manner not permitted by Privacy Rule Inadvertent disclosure by person authorized to access CE’s or BA’s PHI to another similarly situated person at same CE, BA or OHCA and PHI not further used in manner not permitted by Privacy Rule Disclosure of PHI to unauthorized person if CE/BA has good faith belief that such person could not reasonably be able to “retain” such information The Final Rule removes the exception for limited data sets that do not contain zip codes and dates of birth. 5
Unsecured PHI Guidance HITECH defines “Unsecured PHI” as PHI not secured through use of technology or methodology required in HHS guidance to render PHI “unusable, unreadable or indecipherable to unauthorized individuals” HHS issued guidance April 27, 2009, identifying two methods to secure and render PHI unusable, unreadable or indecipherable to unauthorized individuals: encryption and destruction HHS update of guidance required annually HITECH Revisions Breach Notification 6
Clarified meaning of “data” - in motion, at rest, in use and disposed Encryption: Successful use depends upon strength of encryption algorithm (computer program) and security of the decryption key or process Two approved processes: For data considered to be “at rest” – NIST Special Pub , Guide to Storage Encryption Technologies for End User Devices For data considered to be “in motion” – Federal Information Processing Standards (FIPS) Exhaustive methods, not illustrative Destruction: PHI in written form will be “secured” if materials shredded or destroyed and PHI cannot be read or otherwise reconstructed PHI in electronic form will be “secured” if information cleared, purged or destroyed consistent with NIST Special Pub , Guidelines for Media Sanitization, such that PHI cannot be retrieved HITECH Revisions – Breach Notification 7
8 Updated HHS Guidance on Securing PHI In the preamble to the regulations for breach notification, HHS updated its guidance on “securing” PHI. HHS: Rejected access controls, such as firewalls, as a method for securing PHI. Rejected redaction as a means of securing PHI, and clarified that only the destruction of paper PHI will render that PHI secure. Clarified that encryption keys must be kept on a separate device from the data that they encrypt or decrypt. Reiterated its reliance on certain NIST standards as meeting the encryption standards required to secure PHI.
HITECH Revisions – Breach Notification Discovery of Breach – Section (2) On first day that known or by exercising reasonable diligence could have been known (except by person committing breach) to CE or BA CE/BA “deemed” to know when breach known or by exercising reasonable diligence could have been known to any workforce member or CE agent Meaning of “agent” determined by federal common law of agency 9
HITECH Revisions Breach Notification Notice to Individuals – Section CEs must notify individuals if “unsecured PHI” has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of a “breach” Written Notice Sent via first class mail unless the individual has specified a preference for Substitute Notice If insufficient or out-of-date information for individual or if notice is returned undeliverable, CE must provide substitute notice If fewer than 10 individuals involved, notice may be by phone or other means If 10 or more individuals involved, notice must be by conspicuous posting for 90 days on CE Web site or in major print or broadcast media where affected individuals reside Must include toll-free phone number active at least 90 days Notice must be reasonably calculated to reach individual Urgent Notice If possibility of imminent misuse of unsecured PHI, notice required by telephone or other appropriate notice plus written notice 10
HITECH Revisions Breach Notification Timing of Notice to Individuals by CE – Section (b) Must be made without unreasonable delay and in no case later than 60 calendar days after unsecured PHI breach discovery Content of CE Notice to Individual – Section (c) The notice must include: Description of breach (what happened including date of breach) Types of information involved (such as SS#, DOB, address) Mitigation, investigation, protective steps by CE Steps for individuals to take for protection Contact information to ask questions or obtain more information (must include toll-free number, address, Web site or postal address) 11
HITECH Revisions Breach Notification Notice to Media – Section If breach involves unsecured PHI of more than 500 individuals in state or jurisdiction, CE must notify prominent media outlets Notice must be given without unreasonable delay and no later than 60 calendar days after breach discovery Depending on the circumstances, an appropriate media outlet may include a local television station or a major general interest newspaper with a daily circulation throughout an entire state Notice to Secretary – Section If breach involves unsecured PHI of more than 500 individuals Immediately, meaning without unreasonable delay and no later than 60 calendar days after breach discovery CEs listed on HHS Web site If breach involves unsecured PHI of fewer than 500 individuals CEs must maintain log of breaches and submit annual report of breaches to Secretary Date for submission will be identified on HHS Web site and will be no later than 60 days after end of each CY Report to Congress HHS must annually report breaches to Congress 12
13 HITECH’S Revisions to Enforcement and Penalties HITECH Revisions Enforcement HHS, specifically OCR, must formally investigate any complaint of HIPAA violation if initial investigation indicates breach due to willful neglect – effective February 17, 2011 Required to impose CMP if willful neglect found OCR will perform audits of CEs and BAs (probably not random onsite visits) – beginning February 2010 Effective February 17, State attorneys general may bring civil actions in federal court for HIPAA violations HHS may intervene AGs may seek injunction or damages Only if HHS has not initiated lawsuit
HITECH’s Revisions to Enforcement and Penalties Penalties (As per statute and October 30, 2009 Interim Final Rule) Applicable to CEs – February 18, 2009 Applicable also to BAs – February 17, 2010 Original bases for civil enforcement retained with increased penalties Penalties based on intent – state of mind CMPs collected transferred to OCR for purposes of enforcing the Privacy and Security Rules OCR will consult with GAO to develop system within 3 years to provide percentage of CMPs/settlement to individuals harmed Non-CEs (e.g., employees of CEs) may violate HIPAA if PHI maintained by CE is obtained or disclosed by person without authorization Criminal penalties Broad language 14
HITECH’s Revisions to Enforcement and Penalties Penalties (cont’d): Applies a tiered approach to CMPs Unknown or with reasonable due diligence would not have known: Not less than $100 or more than $50,000 for each violation OR In excess of $1.5 million for identical violations during a calendar year Reasonable cause that is not willful neglect: Not less than $1,000 or more than $50,000 for each violation OR In excess of $1.5M for identical violations during a calendar year Willful neglect and violation corrected within 30 day cure period: Not less than $10,000 or more than $50,000 for each violation OR In excess of $1.5M for identical violations during a calendar year Willful neglect and the violation not corrected within 30 day cure period: Not less than $50,000 OR In excess of $1.5M for identical violations during a calendar year 15
Proposed Rule Change for HIPAA/HITECH Notice of Privacy Practices The components of HIPAA Notice of Privacy Practices require new notices regarding marketing and fundraising Authorization is required for any disclosure of PHI that is made in exchange for direct or indirect remuneration, unless a specified exception applies 16
Proposed Rule Change for HIPAA/HITECH Additional Issues Privacy protection extends only 50 years after the death of the patient Covered entities can charge patients for costs associated with providing and individual ePHI on electronic media 17
Final Rule Change for HIPAA/HITECH Effective Date 2013 RULE CHANGES The Department of Health and Human Services issued the HIPAA/HITECH Act Omnibus Final Rule January 25, 2013 (the “Final Rule”). The Final Rule is effective March 26, Covered Entities will be required to comply with most provisions by September 23,
HIPAA/HITECH ACT OMNIBUS FINAL RULE 2013 RULE CHANGES Breach Notification: The Final Rule revises the definition of a “breach” and the standard for determining patient notification is required. The Final Rule replaces the harm threshold with a probability of PHI being compromised threshold. Any use or disclosure of PHI is presumed to be a breach requiring patient notification unless there is “a low probability that the protected health information has been compromised.” 19
HIPAA/HITECH ACT OMNIBUS FINAL RULE 2013 RULE CHANGES Breach Notification Cont.: When determining whether there is a low probability that PHI has been compromised, Covered Entities must take into account four (4) factors: The nature and extent of the PHI involved; The unauthorized person who used the PHI or to whom the PHI was disclosed; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. 20
HIPAA/HITECH ACT OMNIBUS FINAL RULE CONT RULE CHANGES Business Associates and Contractors: Under Final Rule, Business Associates and Contractors are now required to comply with HIPAA Security Rule. The Final Rule provides a transition period of an additional year for Business Associate Agreements (“BAA’s”) that are currently in existence to be in compliance with the Rule. For Example: BAA’s that existed prior to January 25, 2013, and that are not renewed or modified during the period from March 26, 2013 to September 23, 2013, the deadline to comply with Final Rule will be the earlier of the date on which the BAA is renewed or modified; or September 22,
HIPAA/HITECH ACT OMNIBUS FINAL RULE CONT RULE CHANGES Revised Privacy Notices: Under the Final Rule, Privacy Notices must now grant the recipient the right to receive the breach notification. Covered Entities must obtain patient authorization before using PHI for marketing purposes and before selling PHI. Covered Entities will need to provide a revised Notice of Privacy Practices to individuals. 22
23 THANK YOU!!! Richard D. Sanders T HE S ANDERS L AW F IRM, P.C Piedmont Road Atlanta, Georgia (404)