Overview of the Omnibus Final HIPAA Rule Kohler HealthCare Consulting, Inc. Deanna Turner

Goals for Session Define the statutory timeline and reasons for changes to the final HIPAA (Health Insurance Portability and Accountability Act) Rule Provide an overview of the changes in the final Rule Highlight responsibilities and requirements of expanded pool of Business Associates (BA) Summarize new and expanded individual rights Outline changes to “Breach Notification” Provide advice on “Next steps” 2 Overview of the Omnibus Final HIPAA Rule

Background: Statutory Timeline January 17, 2013: Omnibus Rule announced by the Office of Civil Rights of the U.S. Department of Health and Human Services (HHS) – Largest expansion of the HIPAA privacy, security, enforcement and breach notification efforts in at least a decade. March 26, 2013: Effective date of Omnibus Rule (60 days after publication in the Federal Register). September 23, 2013: Date by which covered entities and business associates must comply with the requirements (180 days after the effective date). Now is the time to determine whether these changes will affect your business relationships! Overview of the Omnibus Final HIPAA Rule 3

Background: Why the Changes? Updates and clarifies obligations that were enacted in February, 2009 by HITECH Act Changes are designed to advance health information technology and incentivize use of electronic health data and information Consumer-based focus with orientation toward active enforcement Most sweeping changes since the law was first implemented Goal: Improve patient privacy and security protections, and increase penalties for non-compliance 4 Overview of the Omnibus Final HIPAA Rule

Background: What’s Changed? Expansion of responsibilities, extension of obligations, and increased liability of business associates and covered entities; Tightening of limits on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes; Strengthening of individuals' rights and control over their PHI (access, disclosures); Establishment of new required authorizations for individuals’ PHI information (sale, research, decedent data); Modifications to Notice of Privacy Practices; Lowered “threshold of harm” related to breaches and increased obligations regarding breach notifications; and Enhancement of provisions related to enforcement and penalties for non-compliance 5 Overview of the Omnibus Final HIPAA Rule

Business Associates and Enhanced Requirements Business Associates (BA) are partners and vendors that perform work on behalf of a covered entity HHS has added the word “maintains” to the previous definition to clarify that entities that store or maintain PHI are business associates Includes the HITECH Act-mandated specific inclusion of: – Entities that provide data transmission services to covered entity; and – a person that offers a personal health record to one or more individuals on behalf of a covered entity. 6 Overview of the Omnibus Final HIPAA Rule

Business Associates and Enhanced Requirements Entities are Business Associates if they create, receive, handle, maintain, transmit or store PHI, even if they do not actually view the PHI 7 Overview of the Omnibus Final HIPAA Rule INCLUDES Health Plans Third Party Administrators E-Prescribing Gateways Billing Companies Technology Vendors Personal Health Record Vendors DOES NOT INCLUDE Companies that serve as conduits for PHI Internet service providers Courier services

Business Associates and Enhanced Requirements A subcontractor is defined as a “person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate”. Previously: It was unclear that privacy and security rules added by HITECH extended to subcontractors Now: Subcontractors are specifically included in the modified definition of “business associate” RESULT: Government has the authority to penalize BOTH business associates and subcontractors! Overview of the Omnibus Final HIPAA Rule8

Direct Liability of Covered Entities and Business Associates Covered entities and business associates are directly liable for violations including: – Compliance with the HIPAA Security Rule’s administrative, physical and technical safeguards – Impermissible uses and disclosures of PHI and certain other requirements under the Privacy Rule – Notification of a breach of unsecured PHI – Compliance with documentation requirements including executing business associate agreements – Failing to disclose PHI when required to determine business associate’s compliance. 9 Overview of the Omnibus Final HIPAA Rule

Direct Liability of Covered Entities and Business Associates Both covered entities and business associates are liable for the violations due to the acts or omissions of their agents (subcontractors). - Not all business associates are automatically agents of covered entities and not all subcontractors are agents of covered entities. – Liability depends on whether there is an agency relationship and whether the act or omission was within the scope of the agency. Covered entities and business associates are required to obtain “satisfactory assurances” through execution of agreements with their business associates and subcontractor business associates. 10 Overview of the Omnibus Final HIPAA Rule

Business Associates Obligations The Omnibus Rule clarified that business associates must: – Comply with the terms of a business associate agreement related to the use and disclosure of PHI; – Provide PHI to the Secretary upon demand; – Provide an electronic copy of PHI available to an individual (or covered entity) if an individual requests; – Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request; and – Enter into business associate agreements with subcontractors that create or receive PHI on their behalf. 11 Overview of the Omnibus Final HIPAA Rule

Expanded Individual Rights: Use of PHI Tightened limitations on use and disclosure of PHI for marketing purposes Requires covered entities to obtain authorization from individuals if covered entity receives payment for producing or distributing materials Communications allowed without authorization but recipient must “opt out”: – Case Management – Care Coordination – Therapies – Alternative Treatments or Providers – Prescription reminders (as long as remuneration is limited to reasonable costs) Overview of the Omnibus Final HIPAA Rule12

Expanded Individual Rights: Sale of PHI Sale of PHI is prohibited without individual authorization unless: – Used by a public health agency for treatment and payment; OR – Other allowed disclosures such as normal disclosures to business associates Authorization must be worded clearly so that individuals can make informed decisions Authorization must include the fact that covered entity will receive payment for disclosures Overview of the Omnibus Final HIPAA Rule13

Expanded Individual Rights: Patient Requests for PHI Individuals can request that a covered entity provide electronic copies of their health information Covered entities that maintain electronic records must provide PHI in the format requested by the individual if readily producible If not readily producible, the information must be provided in a readable electronic format agreed to by both the covered entity and the individual Covered entities may not charge more than the cost of labor and materials required to provide the electronic records Overview of the Omnibus Final HIPAA Rule14

Expanded Individual Rights: Patient Requests for Restrictions on Disclosures Individuals can request that a covered entity not disclose to the individual’s health plan information concerning treatment for which the provider has been paid out-of- pocket in full Prior: Covered entities were not required to agree to such a request Now: Covered entities will need to employ some method to flag the individual’s record with respect to PHI that has been restricted to ensure that such information is not inadvertently sent or made accessible to the health plan Overview of the Omnibus Final HIPAA Rule15

Expanded Individual Rights: Use of PHI for Research Created simplified and streamlined process of gaining individual authorizations for use of PHI Prior: Researchers were obligated to ask for permission for each distinct use of PHI – Added unnecessary complexity and confusion to process of obtaining consent Now: Covered entities can ask individuals to consent to share PHI for a particular research study and, by extension use the consent for related research purposes – Example: Obtain consent to share PHI and also use same consent for creation of a database to store and allow for querying of information Overview of the Omnibus Final HIPAA Rule 16

Expanded Individual Rights: Use of Genetic Information Enhanced privacy protections for genetic information – Required by Genetic Information Nondiscrimination Act Clarifies that genetic information is considered health information for purposes of HIPAA Prohibits health plans from using or disclosing genetic information that can be used for underwriting purposes – Exception: Issuers of long-term care policies Insurers must communicate this to consumers in Notice of Privacy Practices Overview of the Omnibus Final HIPAA Rule17

Expanded Individual Rights: Privacy Practices Covered entities must modify and redistribute Notices of Privacy Practices (NPPs) to include announcements regarding new privacy practices Revised NPPS must include: – New authorization requirements around the sale and marketing of PHI – Breach notification responsibilities of the covered entity – Right to “opt out” of fundraising and marketing communications – Right of patients to be able to request disclosure restrictions on out-of-pocket payments to providers Overview of the Omnibus Final HIPAA Rule18

Data Breaches by the Numbers 94% of healthcare organizations suffered a data breach in past two years – Of those, 45% suffered more than 5 such incidents Average economic impact of data breach in 2011 and 2012 for healthcare organizations was $2.4 million – $400,000 greater than 2010 – Aggregate annual cost: $7 billion Average number of lost or stolen records per breach: 2,769 And these numbers are going to increase with the new changes…… Overview of the Omnibus Final HIPAA Rule 19 “Third Annual Benchmark Study on Patient Privacy and Data Security”, ID Experts Corp, 2012

Changes to the Breach Notification Framework The HITECH Act of 2009 established a statutory requirement for breach notification Notification was required when more than 500 individuals were affected. Breach = “the acquisition, access, use, or disclosure of PHI in a manner not permitted which compromises the security or privacy of the protected health information.” Compromises = “poses a significant risk of financial, reputations, or other harm to the individual 20Overview of the Omnibus Final HIPAA Rule

Changes to the Breach Notification Framework Burden of proof regarding breaches has now shifted “Threshold of harm” has been lowered It is now presumed that any acquisition, access, use or disclosure of PHI not permitted under the HIPAA Privacy Rule is a breach, regardless of individuals affected. Exception: If a covered entity or business associate can demonstrate that “there is a low probability that the [PHI] has been compromised based on a risk assessment” 21 Overview of the Omnibus Final HIPAA Rule

Changes to the Breach Notification Framework Business associates that experience a breach must provide notice of unsecured PHI to its covered entity “without reasonable delay and in no case later than 60 days following the discovery of the breach” Incidents that may not have been considered serious risks in the past will now need to be reported to the affected individuals and the Office of Civil Rights (OCR) New threshold is stricter but intended to be more objective and easier to interpret and apply 22 Overview of the Omnibus Final HIPAA Rule

Breach Notification - Risk Assessment Risk assessment can be used to demonstrate that there is a low probability that PHI has been compromised Risk Assessment must include consideration of the following factors: – The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; – The unauthorized person who used the PHI or to whom the disclosure was made; – Whether the PHI was actually acquired or viewed; and – The extent to which the risk to the PHI has been mitigated. 23 Overview of the Omnibus Final HIPAA Rule

Breach Notification Prepare your organization to minimize your risk of breach!! HHS stated in the Omnibus Rule that it will issue future guidance on risk assessments associated with breaches, however no time line was given. Organizations should begin by focusing on identifying gaps in compliance that led to past incidents and closing those gaps. 24 Overview of the Omnibus Final HIPAA Rule

Enhanced Enforcement Final rule solidifies and enhances provisions related to: – Compliance reviews and investigations – Imposition of civil monetary penalties – Procedures for hearings Maximum penalty for noncompliance due to negligence has also been increased to $1.5 million per violation Requires HHS Secretary to conduct a compliance review whenever a preliminary review of a complaint indicates a possible violation of an organization (covered entity or business associate) due to willful neglect HHS has leeway in deciding amount of fine and can base decision contributing factors (e.g. past complaints, nature of harm, etc.) Overview of the Omnibus Final HIPAA Rule25

Enhanced Enforcement: Penalties Criteria for Determining Penalty Minimum Penalty (Per Violation Cap) Maximum Penalty (Per Violation Cap) Violator did not know and could not have been expected to know $100/$25,000 $50,000/$1,500,000. There was “reasonable cause” and no “willful neglect” $1,000/$100,000 $50,000/$1,500,000. There was “willful neglect” and violation was corrected $10,000/$250,000 $50,000/$1,500,000. There was “willful neglect” and violation was not corrected $50,000/$1,500,000. No specified maximum Overview of the Omnibus Final HIPAA Rule26

Next Steps for Covered Entities and Business Associates Gap Analysis – Conduct a gap analysis between current policies and procedures and the new requirements determine what changes are needed, implement those changes as soon as reasonably possible. – Identify and document business associates under the new definition, – Business associates should identify and document their subcontractors confirm business associate agreement obligations and exposure to liability for noncompliance 27 Overview of the Omnibus Final HIPAA Rule

Next Steps for Covered Entities and Business Associates Business Associates – Create a separate set of policies and procedures to comply with these new rules. – Business associates are not required to have their own privacy policies and procedures or train their workforce on privacy rules, but it is strongly recommended. – Business associates that discover a breach must report it to the covered entity, and a subcontractor must report a breach to a business associate. – Ultimately, the covered entity has the obligation to notify affected individuals of a breach, even if the breach occurred under the business associate, and even if the responsibility to notify has been delegated to the business associate. 28 Overview of the Omnibus Final HIPAA Rule

Next Steps for Covered Entities and Business Associates Breach Notification – Organizations should review and revise their breach notification policies, procedures and breach response plans. – Covered entities are required to notify all affected individuals as soon as possible. 60 days is the outer limit OCR treats a breach as “discovered” when the entity becomes aware of the breach, or Should have gained knowledge of the breach through due diligence. – The “discovery” standard applies to employees and agents of the covered entities, including business associates. 29 Overview of the Omnibus Final HIPAA Rule

Next Steps for Covered Entities and Business Associates Workforce Training – Provide additional training and awareness communications to personnel about the new requirements. – Plan a training session with all personnel sometime in the near future, preferably before or near the March 26, 2013 effective date of the Omnibus Rule. – Establish a way to monitor compliance by Business Associates and risks on an ongoing basis, enabling quick identification and mitigation of problems. 30 Overview of the Omnibus Final HIPAA Rule

Next Steps for Covered Entities and Business Associates Review and Amend Business Associate Agreements – update policies and procedures, – review and, if needed, amend existing business associate agreements to comply with the new requirements. OCR recently posted sample business associate agreement provisions on its website: tractprov.html – The language may also be adapted for a contract between a business associate and its subcontractor. – The template provisions are a helpful starting point, but additional revisions are advisable, such as detail regarding mitigation in the event of a breach. 31 Overview of the Omnibus Final HIPAA Rule

Next Steps for Covered Entities and Business Associates Revise and distribute new notices of privacy practices to individuals informing recipients of the following: – the new prohibition against health plans using or disclosing genetic information for underwriting purposes; – the prohibition on the sale of protected health information without express written authorization of the individual, including other uses and disclosures such as marketing and disclosure of psychotherapy notes; – the duty of a covered entity to notify affected individuals of a breach; – the individual’s right to opt out of receiving fundraising communications; and – the individual’s right to restrict disclosures of protected health information to a health plan where the individual paid out of pocket in full. 32 Overview of the Omnibus Final HIPAA Rule

Questions????? Overview of the Omnibus Final HIPAA Rule