Introduction to HIPAA HITECH - PowerPoint Presentation

Slide1

Introduction to HIPAA HITECH and Risks Associated With PHI and/or PI

April 25, 2013William Ewy, CIPP/USPrivacy and Security Practice ManagerePlace Solutions, Inc.Provider of NoDataBreach.com Risk Management Service

1

Slide2

NoDataBreach.comIncluded with Cyber Insurance PolicyCyber Risk Management Service

Online MaterialsWebinarsMaterials Distributed via EmailPhone and Email Support2

Slide3

Threat and Costs of Data Breaches and ID TheftDamage to individuals – ID theft, loss of privacyCosts for organizations

Forensic investigations to determine cause and extentFines, penalties and potential legal costsPreparing and distributing breach notification letters, call center to answer victim questionsCredit monitoring for victimsDamage to reputation/loss of customer confidence3

Slide4

Example HHS SettlementsPhoenix Cardiac Surgery (5 physician practice)

Reported to OCR for posting clinical and surgical appointments on Internet-based calendarOCR found PCS had few policies and procedures to comply with the HIPAA Privacy and SecurityFined $100,000, required to implement follow-up planHospice of North IdahoOCR investigation began after HONI reported theft of unencrypted laptop1st settlement involving less than 500 individualsFined $50,0004

Slide5

5

From HHS “Wall of Shame”http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

Slide6

Attorneys General Beginning to Use HIPAA Enforcement Authority

Accretive Health, Inc. sued by Minnesota AGSouth Shore Hospital sued by Massachusetts AG6

Slide7

AgendaHIPAA in the Past and as We Know It “Today”What’s Changing and When

Business Associates/Business Associate AgreementsData Breach Notification RequirementsNotice of Privacy PracticesEnforcement What to Do NowOverview/Demo of NoDataBreach.com7

Slide8

DisclaimerWilliam Ewy is not providing legal advice during today’s presentation. Mr. Ewy and

ePlace Solutions provide certain risk management services known as “NoDataBreach” to Beazley’s Breach Response insurance policyholders and does not provide legal advice. If you have legal questions, you should obtain legal advice from qualified legal counsel.8

Slide9

What is HIPAA and HITECHThe Health Insurance Portability and Accountability Act (HIPAA) of 1996The

Privacy Rule applies to Protected Health Information (PHI) in any form (e.g. electronic, paper, oral, etc.)The Security Rule applies to PHI in electronic form and requires specific Administrative, Physical and Technical safeguardsThe Health Information Technology for Economic and Clinical Health Act (HITECH) made several amendments to HIPAA9

Slide10

Organizations Subject to HIPAACovered Entities (CEs)Health plans (health insurance plans)

Healthcare clearinghouses - e.g. a billing service (non-standard to standard format, or vice versa)Healthcare providers that conduct standard electronic transactions covered by HIPAA (listed on next page)Business Associates (BAs)now a person who “creates, receives, maintains, or transmits” PHI on behalf of a CE”10

Slide11

Electronic Transactions Covered by HIPAAHealthcare claims or encounter informationHealthcare payment of remittance advice

Coordination of benefitsHealthcare claims statusEnrollment or disenrollment in a health planEligibility for a health planHealth Plan premium paymentsReferral certification and authorizationFirst report of injuryHealth claims attachmentsAny other transaction prescribed by the Secretary of HHS11

Slide12

Examples of Covered EntitiesHealth Care ProvidersDoctors

ClinicsPsychologistsDentistsChiropractorsNursing HomesPharmaciesHealth PlansHealth insurance companiesHMOsCompany health plansGovernment programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs12

Slide13

Today’s HIPAA LandscapeHITECH/ARRA, since 2009, included

Breach notificationBusiness associate liabilityEnforcement penaltiesAttorneys General authority to enforce13

Slide14

Today’s HIPAA LandscapeInterim Rules (“interim”=effective but subject to change via final rule) - 2009

Breach notificationEnforcement penaltiesProposed Rule (not effective until final rule) – July 2010HITECH implementation, including BA and BAA agreement modifications14

Slide15

Changing HIPAA Landscape: New HIPAA/HITECH Regulations

Omnibus HIPAA Final Rule, published Jan 25, 2013Topics addressed include:Breach notificationBusiness associate liabilityBusiness associate agreementsEnforcementMany other HIPAA compliance issues, including permissibility of using/disclosing PHI for marketing and fundraising communications, individual’s right of access to electronic PHI, and other issues

15

Slide16

New HIPAA/HITECH RegulationsEffective date: Mar 26,

2013 - (except as otherwise provided) Compliance date: Sep 23, 201316

Slide17

New HIPAA/HITECH Regulations: Business AssociatesHITECH made BAs subject to Security Rule and certain Privacy Rule

provisionsNew regs implement HITECH requirementsBA definition amended to add Patient Safety Organizations, Health Information Organizations/data transmission entities, Vendors who provide Personal Health Records on behalf of covered entities, andSubcontractors

17

Slide18

Business Associates: SubcontractorsSubcontractors to BAs subject to HIPAAAgreement is required between BA

and subcontractor that contains all required BAA provisions“No matter how far ‘down the chain’ the information flows”18

Slide19

Business Associate LiabilityBusiness Associates and their subcontractors are now directly liable for violations of Security Rule and for uses and disclosures of PHI in violation of Privacy

RuleBusiness Associates mustKeep and disclose records as required by HHS; cooperate with HIPAA compliance investigationsDisclose PHI as needed by a CE to fulfill requirement to provide electronic copy of PHI Notify CE of a breach of unsecured PHIAdhere to “minimum necessary” uses and disclosures of PHIProvide an accounting of disclosuresEnter into agreements with subcontractors that comply with Privacy and Security Rules19

Slide20

Business Associate AgreementsNew required provisions (additive); Business Associate agreement mustRequire BA to comply with Security Rule

Require BA to report breaches to CEIf delegated activity, require BA to comply with Privacy RuleIf BA subcontracts, require BA to have a contract with subcontractor that complies with BAA provisionsTransition provisionsExisting BAAs may continue to operate for a one-year period after compliance date, provided thatExisting BAA currently complies with all BAA requirements, andExisting BAA does not renew prior to compliance date20

Slide21

BAA Transition Period Detail(e) Implementation specification: Deemed compliance.

(1) Qualification. Notwithstanding other sections of this part, a covered entity, or business associate with respect to a subcontractor, is deemed to be in compliance with the documentation and contract requirements of §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e), with respect to a particular business associate relationship, for the time period set forth in paragraph (e)(2) of this section, if: (i) Prior to January 25, 2013, such covered entity, or business associate with respect to a subcontractor, has entered into and is operating pursuant to a written contract or other written arrangement with the business associate that complies with the applicable provisions of §§ 164.314(a) or 164.504(e) that were in effect on such date; and(ii) The contract or other arrangement is not renewed or modified from March 26, 2013, until September 23, 2013.

(2)

Limited deemed compliance period.

A prior contract or other arrangement that meets the qualification requirements in paragraph (e) of this section shall be deemed compliant until the earlier of:

(

i

) The date such contract or other arrangement is renewed or modified on or after September 23, 2013; or

(ii) September 22, 2014.

21

Slide22

Business Associates: What to Do NowInventory Business Associate Agreements for current compliance

Create template (1) amendments for existing BAs and (2) BA agreement going forward.Determine which BAAs must be amended/replaced prior to 9/23/2012Map out amendment/replacement strategyCommunicate with Business Associates; set expectations for:BAA amendment/replacement processSubcontractor identification and BA action planSet realistic timeline

22

Slide23

New HIPAA/HITECH Regulations: Breach NotificationUnchanged requirements, including

Notification if breach of unsecured PHI/EPHINotice to affected individuals within 60 days of discoveryNotice content requirementsNotice to OCR immediately if breach affects 500 or more individuals and annually if less than 500Notice to the media if 500 or more affected23

Slide24

Current Definition of Breach

HITECH defined “breach” Acquisition, access, use or disclosure of PHI in a manner not permitted by Privacy Rule which compromises the security or privacy of the PHIInterim final rule defined “compromise”Poses a significant risk of financial, reputational or other harmCEs and BAs have been applying this standard in performing analyses24

Slide25

New HIPAA/HITECH Regulations: Presumption/new “Compromise” Standard

An acquisition, access, use or disclosure of PHI in a manner not permitted is presumed to be a breachUnless the CE or BA can demonstrate (via documentation) that there is a low probability that the PHI has been compromised25

Slide26

New HIPAA/HITECH Regulations: Probability of “Compromise”

Factors that must be weighed in assessing probability of compromiseThe nature and extent of the PHI involvedThe unauthorized person who used the PHI or to whom the disclosure was madeWas the PHI actually acquired or viewed, andHas the risk to the PHI been mitigated

26

Slide27

Data Breach Changes: What to do Now

Update incident response planRevise breach analysis templateUpdate policies and procedures*Train workforce on new requirements**Factor in other new HIPAA requirements27

Slide28

Notice of Privacy PracticesThe Final Rule requires several new provisions -

NPPs must state that the following require an individual’s prior authorization: (1) most uses and disclosures of psychotherapy notes (if the CE maintains psychotherapy notes); (2) uses and disclosures of PHI for marketing purposes; and (3) disclosures of PHI that constitute a “sale.” If a CE contacts individuals for fundraising purposes, its NPP must notify individuals that they have a right to opt out of such communicationsNPPs must inform individuals of their right to restrict certain disclosures of PHI to health plans when the individual has paid in fullNPPs must tell individuals of their right to receive a notification if there is a breach of their unsecured PHIFor health plans, assurances that the plan will not use or disclose genetic information for underwriting purposes28

Slide29

Enforcement Provisions Adopted and Clarified

Regulations adopt HITECH increased penalty structure:Did not know: $100-$50,000 per violationReasonable cause: $1,000-$50,000 per violationWillful neglect* if corrected: $10,000-$50,000 per violationWillful neglect if uncorrected: $50,000 per violations$1,500,000 maximum for all violations of an identical provision per year*Conscious, intentional failure or reckless indifference to a compliance obligation

29

Slide30

Enforcement Provisions: New Clarifications

Factors government must now consider when determining penaltiesNature and extent of violation, now includes number of affected individualsNature and extent of harm resulting, now includes reputational harmHistory of compliance, now includes indications of non-compliance (vs. formal findings of violations)Financial condition of the organizationIf willful neglect, HHSIs required to investigateMust conduct a compliance reviewMay (but probably won’t) resolve informally

30

Slide31

NoDataBreach.com Overview of Services

31

Slide32

The Service FocusProviding updated, timely, relevant information

to help organizations prevent data breachesUS Federal and State Laws and RegulationsPractical guidanceThe information can be accessed/used as you see fit, for non-commercial purposes, within your insured organization

32

Slide33

Scope of Services (1)33

Step-by-Step Procedures to Lower RiskUnderstand the scope of “personal information” (“PI”)

Determine where PI is stored

Collect/retain the minimum amount of PI required for business needs

Destroy PI when no longer needed

Risk assessment guidance

Develop

and

implement

an Incident Response Plan

On-line Compliance Materials

Federal and state compliance materials

Summaries of federal and state laws

Sample policies & procedures

Continuing updates and electronic notification of significant changes

Slide34

Scope of Services (2)Phone/E-mail Support

Consultants & attorneys answer questions, including:Health care & HIPAA compliance issuesData breach prevention issuesData Security best practicesComputer forensic issues

34

Sent by email

Significant changes in federal and state laws/regulations

Breach and data security news

Privacy Alerts

for events requiring immediate attention

Data Security Tips

Periodic Newsletter &

“Privacy Posts”

Slide35

Scope of Services (3)Training Modules

On-line training materialSpecific, to-the-pointAwareness bulletins & postersWebinarsfor privacy compliance and IT staffHandling Data BreachesGuidance provided to:Respond to a data breach

35

Slide36

Policyholder Feedback“With your outreach this

week, I’m truly appreciating the value of our membership with No Data Breach. “I don’t feel like I’m going it alone and will be surfing your website more frequently!”36

Slide37

Site Walkthrough37

Slide38

In Summary, the Service Provides…Unlimited non-commercial access to information to help prevent data breachesUpdates via email

Newsletters, Privacy PostsWebinarsPhone/E-mail support (questions) Online resources38

Slide39

Questions?39