1. 1 Kansas Health Solutions July 9, 2009 HIPAA Goes HITECH Martie Ross Lathrop & Gage LLP mross@lathropgage.com (913) 451-5152

2. 2 HIPAA History Lesson  1993 Clinton healthcare reform initiative  August 1996 Title II of the Health Insurance Portability and Accountability Act Administrative Simplification  Facilitate electronic processing of health insurance claims  Three-year deadline for passage of comprehensive privacy law  August 1998 Proposed HIPAA Security Rule published  November 1999 Proposed HIPAA Privacy Rule published  December 2000 Final HIPAA Privacy Rule published

3. 3 HIPAA History Lesson  August 2002 Revised final HIPAA Privacy Rule published  February 2003 Final HIPAA Security Rule published  April 2003 Compliance date for HIPAA Privacy Rule — one year later for small group health plans  April 2005 Compliance date for HIPAA Security Rule — one year later for small group health plans Proposed HIPAA Enforcement Rule published  April 2006 Final HIPAA Enforcement Rule published

4. 4 HIPAA Enforcement  Privacy — OCR statistics — April 2003 – December 2008 41,107 complaints received 11,587 within OCR jurisdiction 7,729 required corrective action by covered entity 3,858 involved no violation 448 referrals to DOJ  Security — CMS statistics — through December 2008 392 complaints received 305 resolved

5. 5 HIPAA Enforcement  Criminal Cases United States v. Gibson — Washington 2004  June 2005 DOJ Memo – employees of covered entities not subject to criminal prosecution for HIPAA violations United States v. Ramirez — Texas 2006 United States v. Ferrer and Machado — Florida 2007

6. 6 HIPAA Enforcement  Security Audits Piedmont Hospital — March 2007 PriceWaterhouseCoopers one-year contract — December 2007  Providence Health & Services Resolution Agreement — July 2008 Lost or stolen laptops and electronic media $100,000 “resolution amount” — not civil money penalty “Robust” corrective action plan  2008 and 2009 OIG Work Plans

7. 7 The HITECH Act — Who saw this coming?  110th Congress — 2007-08 Wired for Health Care Quality Act — WIRED Act Health Information Privacy and Security Act — Leahy Amendment  111th Congress — 2009-10 American Recovery and Reinvestment Act of 2009  a/k/a ARRA or the Stimulus Package Title XIII – Health Information Technology for Economic and Clinical Health Act WIRED Act + Leahy Amendment + $20 billion

8. 8 Outline of the HITECH Act  Subtitle A – Promotion of HIT Part I – Improving Health Care Quality, Safety, and Efficiency Part II - Application and Use of Adopted Health Information Technology Standards; Reports  Subtitle B – Testing of HIT  Subtitle C – Incentives for the Use of HIT Part I – Grants and Loans Funding [Medicare and Medicaid incentive payments covered in separate title]  Subtitle D — Privacy

9. 9 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

10. 10 Breach Notification  Current rule CE must mitigate, to the extent practicable, any harmful effect that is known to the CE of an unauthorized use or disclosure of PHI by the CE or its business associate  New rule CE must provide notice to person whose unsecured PHI has been accessed, acquired, or disclosed as a result of a breach discovered by the CE. Notice must also be provided to HHS.

11. 11 Breach Notification  What’s the timeline for implementation?  What is unsecured PHI?  What constitutes a breach?  What constitutes discovery of a breach?  To whom must notice be provided?  What’s the timeframe for providing notice?  How is the notice to be provided?  What must the notice include?  What notice must be provided to HHS?  What are the recordkeeping requirements?

12. 12 Timeline  HHS must publish interim regulations by August 17, 2009  Notification requirements will apply to breaches discovered on or after September 16, 2009  Yes, that’s just four and one-half months away!

13. 13 U-PHI  PHI may be “secured” through use of a technology or methodology that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals  Must utilize a technology or methodology specified in guidance issued — and annually updated — by HHS  All other PHI is considered unsecured

14. 14 HHS Guidance Specifying Technologies and Methodologies for Securing PHI  Issued April 17, 2009  Not mandatory, but “functional equivalent of a safe harbor” to avoid notification requirements Duty to mitigate State law  Public comment on limited data sets  Encryption Data at rest - NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices Data in motion – Federal Information Processing Standards 140-2  Destruction Paper, film, other hard copy media – shredded or destroyed such that PHI cannot be reconstructed Electronic media – NIST Special Publication 800-00, Guidelines for Media Sanitization

15. 15 What Constitutes a Breach?  Unauthorized acquisition, access, use, or disclosure of UPHI which compromises the security or privacy of such information Not the security or privacy of the individual – just the information

16. 16 Exceptions  The unauthorized person to whom UPHI is disclosed would not reasonably have been able to retain such information  Unintentional acquisition, access, or use — but not disclosure — of UPHI by CE’s employee, agent, or BA if — Made in good faith within the scope of employment / agency No further acquisition, access, use or disclosure by any person  Inadvertent disclosure from an individual otherwise authorized to access PHI at a facility operated by the CE or BA if — Made to another similarly situated individual at the same facility No further acquisition, access, use or disclosure by any person

17. 17 When is a Breach Discovered?  The first day on which any member of a CE’s workforce – other than the person committing the breach – knows or should have known about the breach  A BA who discovers a breach must notify CE without unreasonable delay, but not later than 60 days following discovery Such notice must identify each individual whose UPHI was accessed, acquired, or disclosed during such breach Notice to CE by BA constitutes discovery of breach by CE

18. 18 To Whom Must Notice Be Given?  Each individual whose UPHI has been — or is reasonably believed by the CE to have been — accessed, acquired, or disclosed as a result of such breach. Personal representatives?  In certain cases, CE must provide media notice  Notice to HHS

19. 19 By When Must Notice Be Provided?  “without unreasonable delay”  “in no case later than 60 calendar days after the discovery of a breach”  One exception — if a law enforcement official determines such notice would “impede a criminal investigation or cause damage to national security,” notice may be delayed

20. 20 Notice to the Individual  Written form via first-class mail to the individual — or next of kin if individual is deceased — at last known address  May deliver by e-mail only if individual previously has expressed preference for such communication  In addition to written notice, CE may contact individual by telephone or other means if urgent need to notify given the risk of possible imminent misuse of individual’s UPHI  Duty to make supplemental disclosures as information becomes available?

21. 21 Insufficient or Out-of-Date Contact Information  Required to use a substitute form of notice  “in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information” Conspicuous posting for a period to be determined by regulation on the home page of the CE’s website with toll-free number -or- “notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside” with toll-free number

22. 22 Content of Individual Notice  Brief description of what happened, including date of breach and discovery, if known.  Description of types of UPHI involved in breach — e.g., name, SSN, DOB, home address, account number  Steps the individual should take to protect himself / herself from potential harm resulting from breach  Brief description of CE’s mitigation efforts  Contact information, which must include a toll-free number, e-mail address, website or postal address

23. 23 Media Notice  CE must provide notice of breach “to prominent media outlets serving a State or jurisdiction” if UPHI “of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been accessed, acquired, or disclosed during such breach.” In addition to individual notice requirements Single episode, not cumulative 60-day timeframe applies Specific content not specified Press release or paid advertisement?

24. 24 Notice to HHS  In the event of a 500+ breach, must provide notice to HHS “immediately” Specific content of notice not specified HHS must publish such notices on its website  If less than 500 individuals impacted, may “maintain a log of any such breach occurring and annually submit such a log to [HHS] documenting such breaches occurring during the year involved.”

25. 25 Recordkeeping Requirements  CE “shall have the burden of demonstrating that all notifications were made as required under this part, including evidence demonstrating the necessity of any delay.”  No timeframe specified

26. 26 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

27. 27 Minimum Necessary Disclosures  Current Rule — With certain exceptions, a CE must limit uses and disclosures of PHI to the “minimum necessary” information for the purpose of the disclosure  New Rule — By August 2010, HHS must publish guidance concerning what constitutes “minimum necessary” use of disclosure in certain circumstances. HHS must take into account "information necessary to improve patient outcomes and to detect, prevent, and manage chronic disease’”  Between February 17, 2010, and publication of guidance, presumption that limited data set — i.e., strip out direct identifiers — will be the minimum necessary absent other considerations.

28. 28 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

29. 29 Restrictions on TPO disclosures  Current rule — An individual may request restrictions on use and disclosure of PHI for TPO purposes, but there is no requirement a CE honor such request  New rule — CE must honor request if The request relates to restricting disclosure of a health plan for purposes of payment or healthcare operations PHI pertains solely to a health care item or service for which the provider has been paid in full out-of-pocket.  Effective date — February 17, 2010

30. 30 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

31. 31 Accounting of Disclosures  Current rule — Disclosures for TPO purposes do not have to be tracked for purposes of providing an accounting of disclosures  New rule — CE must account for such disclosures made through electronic health records Three-year accounting for such disclosures; six years for all others EHR = electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff Accounting must either —  Include all disclosures made by CE and its BAs  Include only CE but provide contact information for BAs

32. 32 Effective Dates  HHS must promulgate standards within six months to assist in implementation of this requirement, e.g., what information must be included in an accounting.  Compliance date for CEs that "acquired" an electronic health record as of January 1, 2009, is January 1, 2014.  For CEs that acquire EHRs after January 1, 2009, the compliance date is the later of January 1, 2011, or the date upon which the EHR is acquired.

33. 33 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

34. 34 Patient Access  If CE uses or maintains an ERH, the individual may obtain a copy of PHI in electronic format  Individual may direct CE to transmit such record to any person or entity identified by the individual, provided such choice is clean, conspicuous, and specific  Fee for providing electronic copy of records maintained in electronic format is limited to labor costs  Effective February 17, 2010

35. 35 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

36. 36 Marketing  Current rule — Certain marketing-type activities are excepted from the definition of "marketing" and considered as part of treatment or health care operations.  New rule — Authorization now will be required by such disclosures if the CE receives direct or indirect payment from a third party in connection with the communication  HHS must issue implementing regulations by August 17, 2010, and new rules will go into effect six months thereafter.

37. 37 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

38. 38 Fundraising  Current rule — A CE must include in any fundraising materials a description of how the individual may opt out of receiving any further fundraising communications, and CE must make reasonable efforts to honor such request  New rule — Any written fundraising communication must provide a clear and conspicuous opportunity for the recipient to elect not to receive any further fundraising communications. Such election constitutes a revocation of authorization  Effective date — February 17, 2010

39. 39 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

40. 40 Prohibition on Sale of PHI  A CE cannot directly or indirectly receive any remuneration in exchange for a person’s PHI unless specifically authorized by that person  Several exceptions Transfer in connection with sale or merger of CE Transfer for treatment public health activities, or research purposes Providing individual with a copy of his / her PHI  HHS to promulgate regulations by August 2010, with new rules effective by February 2011

41. 41 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

42. 42 Business Associates  Current rule — A BA is contractually obligated to adhere to certain provisions of Privacy and Security Rules in performing certain services for a CE  New rule with respect to the Security Rule — BAs are subject requirements for administrative, physical, and technical safeguards, and the civil and criminal penalties for violating those standards

43. 43 Business Associates  New rules with respect to Privacy Rule — BA must comply with use and disclosure rules with respect to PHI it obtains from or creates on behalf of a CE “The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to [CEs] shall also be applicable to such a business associate”  Such requirements must be incorporated into parties’ BA agreement, e.g., accounting of disclosures, breach notification BAs subject to the same civil and criminal penalties as CEs for unauthorized disclosures — and other violations?

44. 44 Business Associates  New category of business associates Organizations that transmit PHI to a CE and that require access to such PHI on a routine basis Examples — RHIOs, HIE, e-prescribing gateways  Effective date for all provisions — February 17, 2010

45. 45 Significant Changes Breach notification Minimum necessary disclosures Restrictions on TPO disclosures Accounting of disclosures Patient access Marketing Fundraising Prohibition on sale of PHI Business associates Criminal and Civil Monetary Penalties

46. 46 Criminal Penalties  Current rule — Up to $250,000 in fines and 10 years in prison for disclosing or obtaining PHI with intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm. Only a CE – not an employee or agent of a CE — may be held criminally liable.  New rule — Penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by a CE, regardless of whether such person is employed by a CE.

47. 47 Civil Monetary Penalties – Current Rules  HHS may impose a CMP for failure to comply with the Privacy and Security rules, with a maximum civil fine of $100 per violation and up to $25,000 for all violations of an identical type during a calendar year.  CMPs may not be imposed if the violation is a criminal offense under HIPAA’s criminal penalty provisions the person did not have actual or constructive knowledge of the violation the failure to comply was due to reasonable cause and not to willful neglect, and the failure to comply was corrected within 30 days upon discovery

48. 48 Willful Neglect  Enforcement and penalties HHS must investigate any complaint where a preliminary investigation suggests willful neglect has occurred HHS must impose a penalty for violation due to willful neglect  HHS must publish implementing regulations by August 2010 to take effect by February 2011

49. 49 New CMP Tiers for Violations after February 17, 2009 Basic penalty for all violations, even if the entity did not know and could not have known of the violation $100 per violation up to a maximum of $25,000 annually for any one requirement or prohibition Violations resulting from reasonable cause and not willful neglect At least $1,000 per violation up to a maximum of $100,000 annually for any one requirement or prohibition Violations caused by willful neglect, but that are cured within 30 days At least $10,000 per violation up to a maximum of $250,000 annually for any one requirement or prohibition Violations cause by willful neglect that are not cured within 30 days At least $50,000 per violation up to a maximum of $1.5 million annually for any one requirement or prohibition

50. 50 Other New CMP Rules  Collected CMPs must be reinvested in enforcement of HIPAA Privacy and Security Rules  By February 17, 2012, HHS must publish regulations giving a portion of CMPs to persons harmed by HIPAA violations  For violations occurring after February 17, 2009, state attorneys general may file case in federal district court to enjoin violations or obtain damages on behalf of individuals

51. 51 So Now What?  Commitment to compliance Increased penalties + increased enforcement = time to pay closer attention to HIPAA “Paper” HIPAA compliance program = willful neglect?  Focus on disclosure requirements Who will decide when disclosures need to be made? Who will be responsible for making disclosures? Who will be responsible for follow-up communications? How will you educate employees?  Conduct an audit of your BA agreements  Focus on fundraising, minimum necessary determinations, requested restrictions  Keep your eyes open for future developments