HIPAA Update – Significant Omnibus Rule Changes Rose Willis Billee Lightvoet Ward Dickinson Wright PLLC

HIPAA OMNIBUS RULE Timeline: Published: January 25, 2013 Effective Date: March 26, 2013 Compliance Date: September 23, 2013 Transition Period: September 23, 2014 omnibus adjective : containing or including many items* Privacy Rule Security Rule Breach Notification Rule Enforcement Rule *”omnibus.” Merriam-Webster.com (9 September 2014)

HIPAA OMNIBUS RULE “... the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Leon Rodriguez, Director, HHS Office for Civil Rights

HIPAA OMNIBUS RULE “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” Leon Rodriguez, Director, HHS Office for Civil Rights

WHAT’S NEW Decedents PHI no longer protected 50 years after date of death Access Covered Entities (CE) must provide access to e-PHI in the form requested if readily producible in such form Must be provided within 30 days (30 day extension allowed) Restrictions CE must restrict disclosures to health plans concerning treatment for which the individual paid in full

WHAT’S NEW Notice of Privacy Practices Past Compliance Deadline for Revisions Material Revisions Distribution of Revised Version HHS Model Notice of Privacy Practices Business Associates (BA) Expanded definition New requirements for Business Associate Agreements Direct liability Breach Notification Rule Presumption of breach New risk assessment standards

The deadline for making required changes was September 23, 2013 What if you did not meet this deadline? No “back dating” Notice of Privacy Practices

What’s new: The NPP must include a statement that any uses and disclosures of a patient’s PHI for marketing purposes require an individual’s written authorization. Notice of Privacy Practices If the marketing involves $$ to the covered entity by a third party, the authorization must state that $$ is involved. Marketing Purposes: The term “marketing” means “to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service” but generally excepts communications for treatment and health care operations. Exception: face to face communication made by the covered entity or promotional gift of nominal value provided by the covered entity

What’s new: The NPP must include a statement that any uses and disclosures of a patient’s PHI that are considered the sale of PHI require an individual’s written authorization. Notice of Privacy Practices Authorization must state that the disclosure will result in $$ to the CE!

What’s new: If the CE records or maintains psychotherapy notes, NPP must include a statement that uses and disclosures of psychotherapy notes require an individual’s written authorization. Psychotherapy Notes: notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. Notice of Privacy Practices

What’s new: Other Uses and Disclosures - The NPP must also state that uses and disclosures of PHI not listed in the notice will be made only with an individual’s written authorization. Notice of Privacy Practices “Uses and disclosures of your PHI that are not listed in this notice will be made only with your written authorization” Remember - Notice of Privacy Practices is the Roadmap!

Refresher: What is an Authorization? Notice of Privacy Practices Make sure that you have a HIPAA-compliant authorization! It must meet specific requirements of the HIPAA Privacy Rule, such as: Specific identification of the information to be used or disclosed Expiration date or expiration event Signature of the patient and date Certain required statements such as the individual having the right to revoke the authorization in writing.

What’s new: A covered entity that intends to contact an individual for fundraising purposes must disclose in its NPP that it may contact the individual to raise funds and that the individual has the right to “opt out” of receiving such communications. Fundraising: A communication to an individual that is made by a covered entity, an institutionally related foundation, or a business associate on behalf of the covered entity for the purpose of raising funds for the covered entity is a fundraising communication Opt out: the mechanism for opting out must go in the fundraising solicitation, not in the NPP. Notice of Privacy Practices

What’s new: NPP must include right to restrict disclosures of PHI to a health plan when the individual (or someone on their behalf) pays out of pocket in full for the health care item or service. This is a new obligation of each CE where disclosure is to carry out payment or health care operations and the PHI pertains solely to a service for which payment has been made to the covered entity in full. Discuss with patient any inability to unbundle a bundled service Downstream providers- no obligation to notify (so far) Notice of Privacy Practices

What’s new: NPP must include a statement informing individuals of their right to be notified following a breach of their unsecured PHI. “You have the right to be notified following a breach of your unsecured PHI” A simple statement – no need to include the regulatory requirements of breach notification (discussed later in this session). Notice of Privacy Practices

What’s new: For health plans only, the NPP must state that the health plan is prohibited from using or disclosing genetic information for underwriting purposes. Notice of Privacy Practices

Possible Additional Amendments (not required): Statement regarding individual’s right to a copy of PHI maintained electronically by the CE Individual’s ability to have immunization records sent directly by the CE to a school Applicable time frames for an individual’s access to his or her PHI. Notice of Privacy Practices

Incorporate new Revision Date (no back dating) CE must distribute the revised NPP as follows: Make the revised NPP available upon request on or after the effective date of the revised notice Have the NPP available at the delivery site Post the revised notice in a clear and prominent location Provide to all new patients along with an acknowledgment of receipt Post to website, if you have one Notice of Privacy Practices – Distribution of Revised Version

Recommendation: Use HHS’ form but tailor it. HHS Model Notices of Privacy Practices

BUSINESS ASSOCIATES Who is a Business Associate? Refresher: A person (or entity) who performs certain functions or activities for or on behalf of CE, or provides certain services to CE Billing, claims processing, data analysis Utilization review, QA, practice management Legal, accounting, financial services Must involve the use or disclosure of PHI Not a member of the CE’s workforce

BUSINESS ASSOCIATES Who is a Business Associate? What’s new: Any person who “creates, receives, maintains or transmits” PHI for certain functions or activities on CE’s behalf New category of functions : patient safety activities Clarification: data storage companies who maintain PHI are BAs regardless of whether they view the PHI

BUSINESS ASSOCIATES Who is a Business Associate? What’s new: New service providers: Persons providing data transmission services (HIO; e- prescribing gateway, etc.) and require routine access Persons offering personal health records on CE behalf Subcontractors of the BA

BUSINESS ASSOCIATES Business Associate Agreements Refresher: CE must enter into a Business Associate Agreement (BAA) BAA must: Establish permitted and required uses and disclosures of PHI Require BA to implement administrative, physical and technical safeguards Comply with certain other obligations to assist CE in meeting its HIPAA obligations Report use/disclosure not provided for in BAA Authorize termination of the contract for BA’s material violation

BUSINESS ASSOCIATES Business Associate Agreements What’s new: The BAA must now require BA to: Comply with the HIPAA Security Rule for e-PHI Report breaches of unsecured PHI Comply with applicable Privacy Rule requirements when carrying out a CE’s obligation under the Privacy Rule Take steps to cure or end the violation (or terminate the relationship) if it knows of a Subcontractor’s pattern of activity or practice that constitutes a material breach of the Subcontractor’s obligations What’s new: BA must have BAA with Subcontractors

BUSINESS ASSOCIATES Liability Refresher: CE is liable for BA violations BA had no direct HIPAA liability (breach of contract only) What’s new: BA (including Subcontractors) are now directly liable under HIPAA CE/BA can be held vicariously liable for “agents” violations Facts and circumstances Key indicator: authority to control performance of the services “Independent Contractor” language not enough

BREACH NOTIFICATION Breach Notification Rule CEs and BAs must notify affected patients, DHHS, and, in some instances, the media of certain breaches of “unsecured” PHI i.e. not encrypted or destroyed “Breach” means an “acquisition, access, use, or disclosure of PHI in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the PHI.”

BREACH NOTIFICATION What’s new: Presumption of Breach An improper use or disclosure is presumed to be a breach To refute the presumption that there was a breach, CE must: conduct and document a comprehensive risk assessment; and determine that there was a low probability that PHI has been compromised

BREACH NOTIFICATION Risk Assessment Nature and extent of PHI Sensitive information included? Unauthorized person who used or obtained the PHI Another CE? Whether the PHI was actually acquired or viewed Extent to which the risk to PHI has been mitigated Documents retrieved?

BREACH NOTIFICATION Notification to Individuals Without unreasonable delay, not more than 60 days after “discovery” When CE knew or would have known (reasonable diligence) When agent/workforce member knew (other than the person committing the breach) When CE receives notice from BA If BA is an agent, when BA discovered breach Content of Notice What, when, and when discovered Description of compromised PHI Steps individuals should take to mitigate effects Steps CE is taking CE contact information

BREACH NOTIFICATION Notification to Media > 500 affected individuals Within 60 days of discovery “Prominent media outlets” (depends on the market) Press release on a CE website does not meet this requirement

BREACH NOTIFICATION Notification to Secretary Immediately: > 500 affected individuals (anywhere) “immediate” means at the time individual notices are sent Annually: < 500 affected individuals maintain log and report on HHS website within 60 days of end of calendar year

Breach Notification Reports to Congress Breaches affecting fewer than 500 individuals : 165,135 reports made to OCR in 2012 Most common (in order of frequency): (1) unauthorized access or disclosure (21,639 reports affecting 62,069 individuals); (2) unknown/other (2,033 reports affecting 13,091 individuals); (3) theft (1,028 reports affecting 49,132 individuals); (4) loss (789 reports affecting 20,176 individuals); (5) improper disposal (155 reports affecting 4,518 individuals); and (6) hacking/IT incident (61 reports affecting 2,619 individuals).

Breach Notification Reports to Congress Secretary’s Annual Report to Congress Submitted May 20, 2014 for calendar years 2011 and 2012 Breaches involving more than 500 individuals: Healthcare providers: 68%; Business Associates: 25% Theft: 53%; Unauthorized Access/Disclosure: 18% –Largest Breach: theft of unencrypted laptop from employee’s vehicle (>116,000 individuals affected) –Other Locations: »Medical offices and pharmacies »Subway and other public transit »Storage facilities

Breach Notification Reports to Congress Improper Disposal Largest breach (189,489 individuals affected): X-rays (lost) by Business Associate hired to digitize and destroy x- rays and accompanying paper jackets Others: disposal in recycling or trash bins Hacking/IT Incidents Largest breach of 2012 overall: (780,000 individuals affected Unencrypted network server compromised by a cyber-attack Others: –viruses and malware –unidentified, unauthorized persons accessing systems –PHI rendered corrupt and inaccessible (CE received “ransom note” to restore access to the files)

OCR Audits of Breach Notification Rule Pilot Audit Program Detailed in Enforcement presentation The pilot audits looked at covered entities’ compliance with specific aspects of the Breach Notification Rule: Notification to Individuals Timeliness of Notification Methods of Individual Notification Burden of Proof

QUESTIONS?