and Risks Associated With PHI andor PI April 25 2013 William Ewy CIPPUS Privacy and Security Practice Manager ePlace Solutions Inc Provider of NoDataBreachcom Risk Management Service ID: 778624
Download The PPT/PDF document "Introduction to HIPAA HITECH" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Introduction to HIPAA HITECH and Risks Associated With PHI and/or PI
April 25, 2013William Ewy, CIPP/USPrivacy and Security Practice ManagerePlace Solutions, Inc.Provider of NoDataBreach.com Risk Management Service
1
Slide2NoDataBreach.comIncluded with Cyber Insurance PolicyCyber Risk Management Service
Online MaterialsWebinarsMaterials Distributed via EmailPhone and Email Support2
Slide3Threat and Costs of Data Breaches and ID TheftDamage to individuals – ID theft, loss of privacyCosts for organizations
Forensic investigations to determine cause and extentFines, penalties and potential legal costsPreparing and distributing breach notification letters, call center to answer victim questionsCredit monitoring for victimsDamage to reputation/loss of customer confidence3
Slide4Example HHS SettlementsPhoenix Cardiac Surgery (5 physician practice)
Reported to OCR for posting clinical and surgical appointments on Internet-based calendarOCR found PCS had few policies and procedures to comply with the HIPAA Privacy and SecurityFined $100,000, required to implement follow-up planHospice of North IdahoOCR investigation began after HONI reported theft of unencrypted laptop1st settlement involving less than 500 individualsFined $50,0004
Slide55
From HHS “Wall of Shame”http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
Slide6Attorneys General Beginning to Use HIPAA Enforcement Authority
Accretive Health, Inc. sued by Minnesota AGSouth Shore Hospital sued by Massachusetts AG6
Slide7AgendaHIPAA in the Past and as We Know It “Today”What’s Changing and When
Business Associates/Business Associate AgreementsData Breach Notification RequirementsNotice of Privacy PracticesEnforcement What to Do NowOverview/Demo of NoDataBreach.com7
Slide8DisclaimerWilliam Ewy is not providing legal advice during today’s presentation. Mr. Ewy and
ePlace Solutions provide certain risk management services known as “NoDataBreach” to Beazley’s Breach Response insurance policyholders and does not provide legal advice. If you have legal questions, you should obtain legal advice from qualified legal counsel.8
Slide9What is HIPAA and HITECHThe Health Insurance Portability and Accountability Act (HIPAA) of 1996The
Privacy Rule applies to Protected Health Information (PHI) in any form (e.g. electronic, paper, oral, etc.)The Security Rule applies to PHI in electronic form and requires specific Administrative, Physical and Technical safeguardsThe Health Information Technology for Economic and Clinical Health Act (HITECH) made several amendments to HIPAA9
Slide10Organizations Subject to HIPAACovered Entities (CEs)Health plans (health insurance plans)
Healthcare clearinghouses - e.g. a billing service (non-standard to standard format, or vice versa)Healthcare providers that conduct standard electronic transactions covered by HIPAA (listed on next page)Business Associates (BAs)now a person who “creates, receives, maintains, or transmits” PHI on behalf of a CE”10
Slide11Electronic Transactions Covered by HIPAAHealthcare claims or encounter informationHealthcare payment of remittance advice
Coordination of benefitsHealthcare claims statusEnrollment or disenrollment in a health planEligibility for a health planHealth Plan premium paymentsReferral certification and authorizationFirst report of injuryHealth claims attachmentsAny other transaction prescribed by the Secretary of HHS11
Slide12Examples of Covered EntitiesHealth Care ProvidersDoctors
ClinicsPsychologistsDentistsChiropractorsNursing HomesPharmaciesHealth PlansHealth insurance companiesHMOsCompany health plansGovernment programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs12
Slide13Today’s HIPAA LandscapeHITECH/ARRA, since 2009, included
Breach notificationBusiness associate liabilityEnforcement penaltiesAttorneys General authority to enforce13
Slide14Today’s HIPAA LandscapeInterim Rules (“interim”=effective but subject to change via final rule) - 2009
Breach notificationEnforcement penaltiesProposed Rule (not effective until final rule) – July 2010HITECH implementation, including BA and BAA agreement modifications14
Slide15Changing HIPAA Landscape: New HIPAA/HITECH Regulations
Omnibus HIPAA Final Rule, published Jan 25, 2013Topics addressed include:Breach notificationBusiness associate liabilityBusiness associate agreementsEnforcementMany other HIPAA compliance issues, including permissibility of using/disclosing PHI for marketing and fundraising communications, individual’s right of access to electronic PHI, and other issues
15
Slide16New HIPAA/HITECH RegulationsEffective date: Mar 26,
2013 - (except as otherwise provided) Compliance date: Sep 23, 201316
Slide17New HIPAA/HITECH Regulations: Business AssociatesHITECH made BAs subject to Security Rule and certain Privacy Rule
provisionsNew regs implement HITECH requirementsBA definition amended to add Patient Safety Organizations, Health Information Organizations/data transmission entities, Vendors who provide Personal Health Records on behalf of covered entities, andSubcontractors
17
Slide18Business Associates: SubcontractorsSubcontractors to BAs subject to HIPAAAgreement is required between BA
and subcontractor that contains all required BAA provisions“No matter how far ‘down the chain’ the information flows”18
Slide19Business Associate LiabilityBusiness Associates and their subcontractors are now directly liable for violations of Security Rule and for uses and disclosures of PHI in violation of Privacy
RuleBusiness Associates mustKeep and disclose records as required by HHS; cooperate with HIPAA compliance investigationsDisclose PHI as needed by a CE to fulfill requirement to provide electronic copy of PHI Notify CE of a breach of unsecured PHIAdhere to “minimum necessary” uses and disclosures of PHIProvide an accounting of disclosuresEnter into agreements with subcontractors that comply with Privacy and Security Rules19
Slide20Business Associate AgreementsNew required provisions (additive); Business Associate agreement mustRequire BA to comply with Security Rule
Require BA to report breaches to CEIf delegated activity, require BA to comply with Privacy RuleIf BA subcontracts, require BA to have a contract with subcontractor that complies with BAA provisionsTransition provisionsExisting BAAs may continue to operate for a one-year period after compliance date, provided thatExisting BAA currently complies with all BAA requirements, andExisting BAA does not renew prior to compliance date20
Slide21BAA Transition Period Detail(e) Implementation specification: Deemed compliance.
(1) Qualification. Notwithstanding other sections of this part, a covered entity, or business associate with respect to a subcontractor, is deemed to be in compliance with the documentation and contract requirements of §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e), with respect to a particular business associate relationship, for the time period set forth in paragraph (e)(2) of this section, if: (i) Prior to January 25, 2013, such covered entity, or business associate with respect to a subcontractor, has entered into and is operating pursuant to a written contract or other written arrangement with the business associate that complies with the applicable provisions of §§ 164.314(a) or 164.504(e) that were in effect on such date; and(ii) The contract or other arrangement is not renewed or modified from March 26, 2013, until September 23, 2013.
(2)
Limited deemed compliance period.
A prior contract or other arrangement that meets the qualification requirements in paragraph (e) of this section shall be deemed compliant until the earlier of:
(
i
) The date such contract or other arrangement is renewed or modified on or after September 23, 2013; or
(ii) September 22, 2014.
21
Slide22Business Associates: What to Do NowInventory Business Associate Agreements for current compliance
Create template (1) amendments for existing BAs and (2) BA agreement going forward.Determine which BAAs must be amended/replaced prior to 9/23/2012Map out amendment/replacement strategyCommunicate with Business Associates; set expectations for:BAA amendment/replacement processSubcontractor identification and BA action planSet realistic timeline
22
Slide23New HIPAA/HITECH Regulations: Breach NotificationUnchanged requirements, including
Notification if breach of unsecured PHI/EPHINotice to affected individuals within 60 days of discoveryNotice content requirementsNotice to OCR immediately if breach affects 500 or more individuals and annually if less than 500Notice to the media if 500 or more affected23
Slide24Current Definition of Breach
HITECH defined “breach” Acquisition, access, use or disclosure of PHI in a manner not permitted by Privacy Rule which compromises the security or privacy of the PHIInterim final rule defined “compromise”Poses a significant risk of financial, reputational or other harmCEs and BAs have been applying this standard in performing analyses24
Slide25New HIPAA/HITECH Regulations: Presumption/new “Compromise” Standard
An acquisition, access, use or disclosure of PHI in a manner not permitted is presumed to be a breachUnless the CE or BA can demonstrate (via documentation) that there is a low probability that the PHI has been compromised25
Slide26New HIPAA/HITECH Regulations: Probability of “Compromise”
Factors that must be weighed in assessing probability of compromiseThe nature and extent of the PHI involvedThe unauthorized person who used the PHI or to whom the disclosure was madeWas the PHI actually acquired or viewed, andHas the risk to the PHI been mitigated
26
Slide27Data Breach Changes: What to do Now
Update incident response planRevise breach analysis templateUpdate policies and procedures*Train workforce on new requirements**Factor in other new HIPAA requirements27
Slide28Notice of Privacy PracticesThe Final Rule requires several new provisions -
NPPs must state that the following require an individual’s prior authorization: (1) most uses and disclosures of psychotherapy notes (if the CE maintains psychotherapy notes); (2) uses and disclosures of PHI for marketing purposes; and (3) disclosures of PHI that constitute a “sale.” If a CE contacts individuals for fundraising purposes, its NPP must notify individuals that they have a right to opt out of such communicationsNPPs must inform individuals of their right to restrict certain disclosures of PHI to health plans when the individual has paid in fullNPPs must tell individuals of their right to receive a notification if there is a breach of their unsecured PHIFor health plans, assurances that the plan will not use or disclose genetic information for underwriting purposes28
Slide29Enforcement Provisions Adopted and Clarified
Regulations adopt HITECH increased penalty structure:Did not know: $100-$50,000 per violationReasonable cause: $1,000-$50,000 per violationWillful neglect* if corrected: $10,000-$50,000 per violationWillful neglect if uncorrected: $50,000 per violations$1,500,000 maximum for all violations of an identical provision per year*Conscious, intentional failure or reckless indifference to a compliance obligation
29
Slide30Enforcement Provisions: New Clarifications
Factors government must now consider when determining penaltiesNature and extent of violation, now includes number of affected individualsNature and extent of harm resulting, now includes reputational harmHistory of compliance, now includes indications of non-compliance (vs. formal findings of violations)Financial condition of the organizationIf willful neglect, HHSIs required to investigateMust conduct a compliance reviewMay (but probably won’t) resolve informally
30
Slide31NoDataBreach.com Overview of Services
31
Slide32The Service FocusProviding updated, timely, relevant information
to help organizations prevent data breachesUS Federal and State Laws and RegulationsPractical guidanceThe information can be accessed/used as you see fit, for non-commercial purposes, within your insured organization
32
Slide33Scope of Services (1)33
Step-by-Step Procedures to Lower RiskUnderstand the scope of “personal information” (“PI”)
Determine where PI is stored
Collect/retain the minimum amount of PI required for business needs
Destroy PI when no longer needed
Risk assessment guidance
Develop
and
implement
an Incident Response Plan
On-line Compliance Materials
Federal and state compliance materials
Summaries of federal and state laws
Sample policies & procedures
Continuing updates and electronic notification of significant changes
Slide34Scope of Services (2)Phone/E-mail Support
Consultants & attorneys answer questions, including:Health care & HIPAA compliance issuesData breach prevention issuesData Security best practicesComputer forensic issues
34
Sent by email
Significant changes in federal and state laws/regulations
Breach and data security news
Privacy Alerts
for events requiring immediate attention
Data Security Tips
Periodic Newsletter &
“Privacy Posts”
Slide35Scope of Services (3)Training Modules
On-line training materialSpecific, to-the-pointAwareness bulletins & postersWebinarsfor privacy compliance and IT staffHandling Data BreachesGuidance provided to:Respond to a data breach
35
Slide36Policyholder Feedback“With your outreach this
week, I’m truly appreciating the value of our membership with No Data Breach. “I don’t feel like I’m going it alone and will be surfing your website more frequently!”36
Slide37Site Walkthrough37
Slide38In Summary, the Service Provides…Unlimited non-commercial access to information to help prevent data breachesUpdates via email
Newsletters, Privacy PostsWebinarsPhone/E-mail support (questions) Online resources38
Slide39Questions?39