The HITECH OMNIBUS FINAL RuleWhat it Means for Your PracticeHIPAA-HITECH-Maine Law Update Stacey Mondschein Katz, Esq. September 19, 2014
OMNIBUS HITECH FINAL RULE • Issued January 25, 2013 • Combines: • HITECH changes to HIPAA • Final Genetic Information Nondiscrimination Act (GINA) • Final Breach Notification Rule • Final Enforcement Rule • Full text available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
HITECH Omnibus Final Rule • Published January 25, 2013, effective March 23, 2013, enforceable September 23, 2013.
HITECH Final Rule HIPAA Changes Final HITECH Provisions – impact on • Business associates • Marketing, fundraising, sale re: PHI • Electronic access by patients now “an absolute right” • Right to request restrictions • Enforcement (much, much higher penalties $$$)
Additional HITECH Changes to HIPAA • Includes changes to: • Notice of Privacy Practices – needs to be updated and redistributed with specific language • Research authorizations- will now allow addition of secondary authorization for data-banking • Student immunization records – will be governed by Family Educational Rights and Privacy Act (FERPA) – permitting sharing of immunization records with parent approval • Decedent information – 50 year rule, plus personal rep/involved family member will still have access • Modifies the HIPAA Privacy Rule as required GINA to prohibit most health plans from using or disclosing genetic information for underwriting purposes. • Minimum Necessary
HIPAA Privacy Basics: Compliance Required for the HITECH AuditsUses and Disclosures • HIPAA generally permits uses and disclosures of PHI without patient authorization for “TPO” • Treatment • Payment • Healthcare Operations • HIPAA allows disclosures with authorization • HIPAA provides opportunity to agree or object in certain circumstances • HIPAA allows for disclosures for certain public benefit purposes, no authorization required
Disclosure - Opportunity to Agree/Object • Sharing with family/friend involved in your care/payment – permitted based upon: • reasonable inference that patient does not object, • or patient agrees • or does not express objection when given the opportunity • Disaster relief notification (e.g. to Red Cross – type org.) • When patient is not present, or without capacity – okay to allow 3d person to pick up Rx, supplies, x-rays. • Emergency situation - may use/disclosure directory info in professional judgment of physician, in best interest of individual and consistent with known wishes of individual – must give patient opportunity to opt-out when practicable. • Directory – name, location, one word condition, directory religious affiliation • Religion to clergy • Other categories to those who ask for individual by name unless opt-out
More on HIPAA Basics • Sets the floor for protection of protected health information (PHI) • Minimum Necessary- • does NOT apply to: • Disclosures for TPO • Disclosures to the individual patient • Disclosures pursuant to valid HIPAA authorization • Disclosures required by law or to HHS • Policies, procedures, training/education • State law applies if more protective or gives patients more rights • Rights include right to request amendment, restrictions, confidential/alternate communications, right to access/copy record
HIPAA Permitted Disclosures • Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes, including: • Required by Law. Covered entities may use and disclose PHI without individual authorization as required by law (including by statute, regulation, or court orders)..
Permitted Disclosures • Public Health Activities. Covered entities may disclose PHI to public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect. • Victims of Abuse, Neglect, Domestic Violence. Note that Maine does not have a Domestic Violence exception. Where permitted by State law and under HIPAA, covered entities must disclose PHI to appropriate government authorities regarding victims of abuse, neglect. • Judicial and Administrative Proceedings. Covered entities may disclose PHI in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal, or in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided. • Check for appropriate language around specially protected categories.
Public Benefit Disclosures • Also: Health Oversight Activities, such as audits, investigations, inspections, licensing • Law Enforcement Purposes – this can be limited by state law, subject to “imminent risk” analysis, crime on premises or v. provider, Rx fraud • Decedents – coroners, medical examiners, funeral directors • Cadaveric Organ, Eye, or Tissue Donation • Research - • Serious Threat to Health or Safety • Essential Government Functions – National intelligence, etc. • Workers’ Compensation.
Authorizations • Specially protected categories of information • treatment by a mental health professional or program • drug/alcohol abuse treatment • HIV test results or status • Required for marketing purposes ($ for communication) • But, HITECH has marketing exceptions, such as when provider is compensated for providing Rx reminders
Authorizations, continued • Plain language • Meaningfully describes the information that will be used or disclosed • Identifies the person or class of persons authorized to make the requested use or disclosure • Identifies the person or class or persons who may use the information or to whom it may be disclosed • Be sure to have other language requirements for specially protected categories or state mandated wording.
Authorizations, continued • Expiration date or event • Description of revocation requirements • Warn about potential for re-disclosure & loss of privacy protection • Signed & dated
Authorizations, continued • Generally, may not condition treatment, payment, or eligibility for benefits on the individual’s giving an authorization • Retain authorizations for 6 years from date of creation or date last in effect, whichever is later • Provide a copy to the individual
Original Patient Rights Include: • Right to request confidential/alternate communications, certain restrictions, accounting of certain disclosures • Right to request amendment of record (add to record). • Right to access a designated record set of PHI: (generally clinical or financial information used to make decisions about the patient). • Generally excludes certain information such as peer review info, PHI compiled in anticipation of civil, criminal, administrative proceeding
HITECH: Notice of Privacy Practices • Need to CONSPICUOUSLY POST your Notice of Privacy. • HITECH says – issue updated NPP to new patients, make new NPP available at the desk without patient having to ask for it • Need to add specific language including: • New patient rights (restrictions) • New breach notification language • Notice re: sale • Notice re: restriction of PHI • Notice re: right to EHR in electronic format • Notice re: right to transmit ePHI electronically
HITECH: Notice of Privacy, Continued • Providers must be sure that their Notice includes (or adds) the following: • A statement that uses and disclosures not described in the Notice will be made only with the individual's written authorization, a description of the types of uses and disclosures that require an authorization of HIPAA, and a statement that the individual may revoke an authorization; • If applicable, a section regarding use of PHI for fundraising communications purposes and the right to opt out of those communications;
HITECH: Notice Of Privacy, Continued • A section that informs the individual that the organization is not required to agree to requested restrictions on uses and disclosures of PHI except where the request is for restriction of PHI to a health plan for payment or health care operations purposes, the service has been paid for out of pocket in full, and the disclosure to the health plan is not required by law (see more on this, below); • A statement that the covered entity is required by law to maintain the privacy of PHI, provide individuals with notice of its legal duties and privacy practices with respect to PHI, and to notify affected individuals following a breach of unsecured PHI; • And, while you're at it... If you are part of the regional health information exchange, you should include appropriate language to that effect as well. • Copies must be available for all patients, and you need to make your good faith attempt at obtaining a signature from your new patients.
HIPAA, HITECH and Meaningful Use • Now that you have reviewed and implemented your HIPAA Privacy requirements, you need to review and implement your HIPAA security requirements. • If you have attested to Meaningful Use, or intend to do so, you must attest to having conducted or reviewed a Risk Analysis under the HIPAA Security Rule, and addressed your gaps.
HIPAA Security: Administrative Safeguards • Security Risk Analysis • Documentation of findings and steps to address gaps • Policies • Procedures on ensuring the security and privacy of PHI and ePHI in documents, correspondence, files • Breach Notification Process
Take-away point re: Risk Analysis: • You can’t contain threats you haven’t identified. • Security Risk Analysis is a must in this near-paperless environment.
How To Determine Risk? • The Security Rule and many guidance documents suggest a systematic assessment. • Risk = potential impact that a threat can have on the confidentiality, integrity and availability of EPHI. • Threats = anything that can have a negative impact on EPHI • Threats can be • intentional (malicious intent), or • unintentional (data entry error, accident) • Sources of threat can be • Human – viruses, malware, thieves, hackers, or simple mistake • Natural/weather-related – tornado/flood/storm/earthquake • Environmental: Power surges, pollution, hazardous contamination
Risk Analysis, continued • Vulnerability = a flaw or weakness in the system that could be triggered by a threat. • Example: • Stolen laptop = threat • Weak password protection, lack of encryption, no back-up of data, etc. = vulnerabilities impacted or exposed • Threat has exposed vulnerabilities re: confidentiality, integrity and availability of PHI. • Risks: Legal/regulatory, financial, operational, clinical, reputational • How to fix/mitigate?
Define the scope of the effort Inventory: Gather Information Identify Reasonable Threats Determine likelihood and impact of threat exploiting vulnerabilities (e.g., 0-5) in light of current controls Assess adequacy of current security controls Identify potential vulnerabilities Recommend risk controls/ mitigation strategies, implement applicable controls (cost/benefit analysis) Determine level of risk Document/maintain results of risk analysis process Update, address additional/ residual implementation Phases of Risk Analysis
Risk Management • Develop and implement a risk management plan. • Implement security measures • Evaluate/monitor and maintain security measures
Administrative Safeguard(Privacy and) Security - Sanction Policy • A covered entity is required to have a sanction policy and consistently enforce sanctions against any member of the workforce who willfully fails to honor its HIPAA or other legal obligations to keep PHI and ePHI confidential and secure. • Applies to both Privacy and Security violations.
HIPAA Security: Physical Safeguards • Reasonable physical safeguards against environmental or man-made harm or destruction may include: • Locked doors to prevent theft • Secure file systems to protect documents with PHI • Taking backed-up data off site to secure location • Inventory of all hardware and portable media • Records of maintenance • Weather protection • Window covers
HIPAA Security: Technical Safeguards • Change with the technology • Technical safeguards against unauthorized access to PHI or e-PHI may include: • Unique user IDs and passwords to prevent access by non-workforce • Monitoring and reviewing access attempts and usage • Virus protection, firewalls, malicious software, patches/updates • Back-up and contingency planning • Secure cloud computing • Encryption (addressable)
HIPAA and Business Associates • Under the original HIPAA Privacy Rule, covered entities were required to enter into a separate “business associate” (“BA”) agreement with any person or entity that used its PHI to perform a task on behalf of the covered entity. Examples of BAs include: • Billing and collections companies • Utilization, Quality Review consultants • physicians taking on administrative roles (such as medical directorships) • accountants • attorneys
To-Dos for BAs and Subcontractors • Now under the Final Omnibus Rule: • Need to amend existing Business Associate Contracts and templates • Direct enforcement applies to BAs. • BAs need to comply with HIPAA directly: • Update HIPAA policies and procedures for security and many privacy requirements • Have someone oversee Security of PHI/ePHI • Risk management • Implement appropriate privacy and security measures • Policies and procedures: security, breach notification, privacy.
Subcontractors of BAs HITECH Rule: Subcontractors treated as Business Associates. • Definition of Subcontractor: Person who acts on behalf of a Business Associate, other than as workforce. • Business Associate need to enter into a Business Associate Agreement with its Subcontractors • Result: 2 tiers of “Business Associates” Direct Business Associates (contract with Covered Entities) • Subcontractor Business Associates (contract with other Business Associates)
BAs, continued • HITECH: Specific Inclusions as Business Associates • Health Information Organizations; e- Prescribing Gateways; and other persons that facilitate data transmissions with routine access to PHI • Patient Safety Organizations
HITECH Breach Notification A whole new scheme! Now, security incidents = “a presumption” of a breach You may be able to get out from under the “breach” after a risk assessment (investigation) that follows certain steps. Need to demonstrate “low probability that the PHI was compromised.”
Breach Risk Assessment Steps: • The New HITECH Omnibus Final Rule replaces the interim breach notification rule's "harm" threshold with a different, multi-step risk assessment of at least the following factors: • i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; • (ii) the unauthorized person who used the PHI or to whom the disclosure was made; • (iii) whether the PHI was actually acquired or viewed; and • (iv) The extent to which the risk to the PHI has been mitigated.
Risk Assessment • “Low probability" is not specifically defined by the OCR, but will ultimately depends on the outcome and responses to assessment steps, and other investigative findings.
HITECH Breach Notification • For breach to be found, guidance says that a HIPAA violation will have occurred. • For breach to exist, PHI at issue must be “unsecured.” • If PHI at issue has been appropriately encrypted or destroyed (rendered “unusable, unreadable, or indecipherable) as required by the federal government, PHI is NOT “unsecured”, and you do not have to report/notify of the incident. • Example: Stolen laptop with ePHI that is appropriately encrypted. Risk assessment would = low probability of compromise. No notification required. Still consider your mitigation steps. Was the laptop in a car? Was it locked up or left in the open? Update your processes, and document your investigation and next steps.
Breach Notification, continued • HHS emphasizes the importance of ensuring that your workforce is "appropriately trained and knowledgeable" regarding what constitutes a breach and on your policies and procedures around this subject. • The guidance for the Omnibus Rule states that, in an event such as the loss of a laptop that contains unencrypted ePHI, you may just choose to make the required notifications rather than conduct the risk assessment, based upon the new presumption that a breach has occurred. (!)
Breach Risk Assessment: Exceptions • If your risk assessment determines that unsecured PHI, a HIPAA violation and significant risk of harm exist, then notification is required unless one of three exceptions apply: • There is unintentionalaccess/use/disclosure by a workforce member, within scope of authority, and no further disclosure • Ex: fax from nurse intended for lab, goes to billing
Breach Notification Exceptions, continued • There is an inadvertent disclosure by workforce or BA to member of same entity or OHCA and no further disclosure • Ex: Email to wrong dept. of hospital, deleted, mailer alerted • There is a good faith belief that disclosure/PHI could not possibly be retained • Ex: Nurse hands, then immediately recovers, wrong instructions from patient/family in the waiting room
The BURDEN IS ON YOU. Document, Document, Document! Where an exception applies, notification is not required. However, the burden is on the entity to prove that notifications either were made as appropriate or that no notification was necessary. HHS emphasizes this point. Keep detailed documentation of the risk assessment process!
Timely Notification • If notification is required, the 60 day clock starts from when the entity or business associate knew, or reasonably should have known, of the breach. • 60 days is the outside limit – if possible to notify sooner, Feds expect you to do so, and suggest that covered entities develop systems for identifying breaches early.
What is in the notice? • Under HITECH, notice must include such information as: • A brief description of the event • Date of breach and discovery, if known • Types of PHI disclosed • Steps patients should take to protect against identity theft • Hospital/practice contact information
Consider Languages, Disabilities • Federal law requires compliance with the Americans with Disabilities Act and Limited English Proficiency considerations. • How will you provide notice to the blind or those with disabilities or impairments?
Law Enforcement Delay • Law enforcement may stop the 60 day clock if notification would compromise an investigation into the breach. • State law may impact or alter this requirement.
Urgent Notice Where notification of a breach appears to be urgent because of the risk of misuse of unsecured PHI, calling patients may be appropriate, in addition to other forms of notice. Remember to document your efforts!
Additional requirements • Where 500 or more individuals’ PHI involved, notice must also be provided to: • Major media outlets in the area likely to reach patients • Notice to the Secretary of DHHS within the same 60 day notice time frame • HITECH suggests that less than 60 days is better
Substitute Notice • Under federal law, substitute notice is required where there is insufficient contact information for at least 10 people, and includes: • Posting on website or • Notice in major statewide print or broadcast media; • Must include 1- 800 number to allow individuals to determine whether their information was included in the breach. • State breach law may have other requirements
The “Wall of Shame” • In the event that your practice determined that it has experienced a breach of unsecured PHI, if the breach impacts more than 500 individuals, you must report it to the Secretary of DHHS, who will post the breach on its website. • As of summer 2014, 900 breachess • Details of reports are made public at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html • Breaches of under 500 must be logged and reported to the Secretary annually (by end of February of year following the discovery of the breach). Over 50,000 reported. • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html