Loading in 2 Seconds...
Loading in 2 Seconds...
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
South Carolina Healthcare FinancialManagement Association Legal Implications of HIT: Practical Tips for Compliance and Vendor Contracting June 1, 2011 Mark L. Bender, JD (803) 253-8212 email@example.com Jeanne M. Born, RN, JD (803) 540-2038 firstname.lastname@example.org Nexsen Pruet, LLC http://www/nexsenpruet.com
HIPAA/HITECH • Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) • American Recovery and Reinvestment Act of 2009 • Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”); • Division A, Title VIII, Subtitle D – Privacy • Division B, Title IV – Medicare/Medicaid Incentives • Assumptions: I will assume that you all speak “HIPAA” & “HITECH”
HIPAA/HITECH • HITECH made multiple changes in the existing HIPAA Statutes, Privacy Standards and Security Standards that directly affect covered entities, business associates and others. • HITECH also provides for economic incentives to encourage the implementation of EHRS for hospitals and other “eligible providers.” • This presentation is intended to be a high-level overview of some, not all, of the legal issues that arise out of the changes effected by HITECH and the regulations & guidance published pursuant to HITECH (to date) and implementing HIT.
Overview • Legal & compliance issues with implementing the HITECH changes in the Privacy and Security regulations. • Legal & compliance issues with implementing the Medicare & Medicaid Incentive Program meaningful use regulations. • Additional legal issues in HIT implementation including: • Practical tips for EHR system contracting.
Proposed Regulations • July 14, 2010: Notice of Proposed Rulemaking: Modifications of the HIPAA Privacy, Security, and Enforcement Rules Under HITECH (the “NPRM”) • Purpose: To implement several provisions of HITECH and broaden individual privacy rights. • Still no final rule. • A copy of the NPRM is at the following website: http://edocet.access.gpo.gov/2010/2010-16718.htm
July 14, 2010 NPRM • The July 14 NPRM implements the HITECH provisions, which were to be effective February 17, 2010. • However . . . • The NPRM states the following: “We note that the final rule will not take effect until after most of the provisions of the HITECH Act became effective on February 18, 2010. We recognize that it will be difficult for covered entities and business associates to comply with the statutory provisions until after we have finalized our changes to the HIPAA Rules. In addition, we recognize that covered entities and business associates will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.” 75 F.R. 40868, 40871.
July 14, 2010 NPRM • March 15, 2010 on the OCR website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html • “Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM, and the final rule that will follow, provide specific information regarding the expected date of compliance and enforcement of these new requirements.” • Upshot? While this was a “stay of execution” we highly recommend that you go forward with taking steps toward compliance – both Covered Entities and Business Associates.
Business Associates Subject to Security Provisions • Section 13401(a) provides that certain Security Standard provisions apply to Business Associates (“BA”) in the same manner as Covered Entities (“CE”): • 45 CFR §164.308 – Administrative Safeguards • 45 CFR §164.310 – Physical Safeguards • 45 CFR §164.312 – Technical Safeguards • 45 CFR §164.316 – Policies and procedures and documentation requirements • The additional requirements of HITECH that relate to security and that are made applicable with respect to CEs shall also be applicable to BAs. • And shall be incorporated into the BA Agreement (“BAA”) between the BA and the CE.
Business Associates Subject to Security Provisions: NPRM • Accountants are business associates if the accountant provides accounting services on behalf of a covered entity and the accountant uses PHI (includes payment information) to provide those services. • Also adds obligations for BAs to pass on BA obligations to subcontractors.
Section 13401(c): Guidance on Security Rule Risk Analysis Requirements • On July 14, 2010, HHS published guidance on compliance with risk analysis requirements under the security rule: • http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf • Very useful for CEs and BAs. • Will be updated after the final HITECH implementing regulations are published. • A risk analysis (conduct or review) is also one of the required measures in the meaningful use regulations.
Section 13404: Application of Privacy Provisions and Penalties to BAs • (a) Provides that the following privacy provisions apply directly to BAs: • 45 C.F.R. §§ 164.502(e) and 164.504(e) (Re: BAAs) • The additional provisions in HITECH that relate to privacy that apply to CEs also apply to BAs. • NPRM broadly includes BAs in §§ 164.502 and 164.504(e). • NPRM includes new provision on subcontractors of BAs. • (b) Provides that a BA must take steps to cure a breach of the BAA by the CE, terminate the BAA, or report to DHHS if the CE violates the BAA (“Snitch provision”). • (c) Provides that if a BA violates (a) or (b), then the BA is subject to the HIPAA Statutory civil and criminal penalties (42 U.S.C. §§1320d-5 & 1320d-6).
Civil and Criminal Provisions of HIPAA apply to BAs • Section 13401(b) provides that if a BA violates any of the Security provisions in Section 13401(a), the civil and criminal provisions of the HIPAA statute apply to the BA in the same manner as a CE. • Significant for BAs: Previously, the only recourse against a BA was an action under the BAA.
Criminal Penalties: 42 U.S.C. §1320d-6 • (a) A person who knowingly and in violation of this part-- • (1) uses or causes to be used a unique health identifier; • (2) obtains IIHI relating to an individual; or • (3) discloses IIHI to another person, shall be punished as provided in subsection (b) of this section. • (b) Penalties • A person described in subsection (a) of this section shall-- • (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; • (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and • (3) if the offense is committed with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
Notification of Breach: Section 13402 • A CE that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured protected health information shall, in the case of a breach, notify the individual whose unsecured protected health information has been or is reasonably believed by the CE to have been accessed, acquired, or disclosed as a result of such breach. • BAs shall notify the CE of such breaches.
Breach: Section 13400(1) • (A) IN GENERAL.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information (“PHI”) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
Breach: Section 13400(1) • (B) EXCEPTIONS.—The term ‘‘breach’’ does not include— • (i) any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a CE or BA if— • (I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the CE or BA; and • (II) such information is not further acquired, accessed, used, or disclosed by any person; OR • (ii) any inadvertent disclosure from an individual who is otherwise authorized to access PHI at a facility operated by a CE or BA to another similarly situated individual at same facility; and • (iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.
Definition of Breach • Published the interim final rule on August 24, 2009: 45 C.F.R. §§164.400 – 164.414. • Modified the definition of breach . . . • Added a “harm” standard by defining “compromises the security or privacy of [protected health] information” as follows: • Poses a significant risk of financial reputational or other harm to the individual. • Senator Waxman did not like this change and informed Secretary Sebilius by letter dated October 1, 2009. • This was not addressed in the NPRM.
Status of Breach Notification Interim Final Rule & Final Rule • Interim Final Breach Notification Rule can be found at: http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf • A final breach rule was submitted to the OMB in late July of 2010, but it was withdrawn. • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/finalruleupdate.html • Upshot: the interim final rule stands. Stay tuned.
Unsecured PHI: Section 13402(h) • Unsecured Protected Health Information (“Unsecured PHI”): PHI that is not secured by a technology standard that renders PHI unusable unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. • Guidance published April 17, 2009.
Notification of Breach • Guidance published April 17, 2009 provides that the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals are: • Electronic PHI that has been encrypted • Data at rest – NIST Special Publication 800-111 • Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113) • Media on which PHI is stored or recorded has been destroyed: • Paper, film or hard copy: shredded or destroyed such that it cannot be reconstructed • Electronic media: cleared or purged consistent with NIST Special Publication 800-88 • FIPS: www.itl.nist.gov/fipspubs/index.htm • NIST: www.nist.gov/
Notification of Breach • Notice must be made within 60 days of when the CE knows or should have reasonably known of the breach. • Individuals: notice is provided in writing by first class mail or by e-mail if the individual provided a preference. • If contact information is out of date (including 10 or more such individuals), post a toll free number on the CE’s website where individuals can learn if their unsecured PHI has been breached. • Regulations add provisions for deceased individuals and when contact information is insufficient or out of date: • Fewer than 10: alternative form of written notice, telephone or other means • 10 or greater: conspicuous posting for 90 days on CE’s webpage or in major broadcast media AND contact information.
Notification of Breach • If notification is urgent because of possible misuse, may telephone the individual(s) • If 500 or more individuals are involved, notice must be provided to prominent media outlets. • Notice must be provided to the Secretary of DHHS; • if 500 or more individuals are involved, this notice must be given immediately • If less that 500, the CE may keep and log and disclose to the Secretary annually. • The Secretary of DHHS will post the identities of the CEs involved in breaches where more than 500 individuals are involved. • See the OCR posting (225 recorded breaches >500 to date) at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Notification of Breach • Breach notification webpage: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html • Guidance for notifying Secretary of breaches: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html • Submit Notice of a Breach Affecting 500 or More Individuals • Submit Notice of a Breach Affecting Fewer than 500 Individuals
Notification of Breach • Content of notice: • Brief description of what happened (include date of breach and date of discovery) • A description of the types of Unsecured PHI involved in the breach • The steps that individuals should take to protect themselves from potential harm • A brief description of what the CE is doing to investigate, mitigate losses and protect against further breaches • Contact information (toll-free telephone number, an e-mail address, web site, or postal address)
Notification of Breach • Notice can be delayed if necessary if law enforcement determines that notice: • Would impede a criminal investigation • Cause damage to national security
Section 13405(a): Restrictions • Provides that a CE must comply with a request for a restriction (45 C.F.R. §164.522(a)(1)(i)(A)) in the use or disclosure of PHI if the purpose of the use or disclosure is NOT treatment and if payment is out of pocket in full. • Upshot: Amend your HIPAA policies and procedures and your Notice of Privacy Practices to add this requirement and flag your PHI if such a restriction is requested. • NPRM implements this provision.
Section 13405(b): Disclosures Limited: Minimum Necessary • (b)(1) A CE will be in compliance with the minimum necessary standard (45 C.F.R. §164.502(b)) if the CE uses, discloses or requests only a limited data set (45 C.F.R. §514(e)(2)) unless the limited data set is not sufficient, then the minimum necessary PHI to accomplish the purpose may be disclosed. • DHHS is to publish guidance on what constitutes “minimum necessary” within 18 months of, February 17, 2009, the publication of HITECH. Interestingly, the Notice of Proposed Regulations did not define the “minimum necessary standard.” • Publication was to be made by August 17, 2010. • No guidance published as yet. • Upshot? Guidance will affect multiple policies/procedures and likely business practices as well. Be on the lookout!
Section 13405(c): Accounting of Disclosures • (c) If a CE maintains an EHR with respect to PHI, then the accounting of disclosures includes disclosures for treatment, payment and health care operations (“TPO”), but • The accounting may be requested for only the prior three (3) years. • DHHS was to promulgate regulations within 6 months after DHHS adopts standards on accounting for disclosures for TPO in Section 3002(b)(2)(B)(iv) of HITECH. • The proposed date for accounting of disclosures was January 11, 2011.
Section 13405(c): Accounting of Disclosures • On May 3, 2010, DHHS published a “request for information” asking for information re: • Interests of individuals as to disclosures for TPO through an EHR; • The administrative burden on CEs and Bas; • Other information to help rulemaking. • Comment period ended May 18, 2010. • The NPRM was published in the Federal Register May 31, 2011: • See: http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf
Section 13405(c): Accounting of Disclosures: NPRM • Divided into 2 rights: Applies to CEs and BAs • Right to an accounting (paper & EHR) – 3year period • Right to an access report (EHR only) – 3year period • Includes who has accessed the individual’s E-PHI held by a CE or BA. • Does not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the CE. • identifies the date, time, and name of the person (or name of the entity if the person’s name is unavailable) who accessed the information, a description of the PHI that was accessed; and • the user’s action, but only to the extent that such information is available. • Right to an access report must be added to the NPP.
Section 13405(c): Accounting of Disclosures: NPRM • Exempts accounting of impermissible disclosures that have been reported to the individual as a breach. • Disclosures included in the accounting: • For public health activities except disclosures to report child abuse • For judicial and administrative proceedings • For law enforcement purposes • To avert a serious threat to health or safety • For military and veterans activities, the Department of State’s medical suitability determinations, and government programs providing public benefits • For workers’ compensation
Section 13405(c): Accounting of Disclosures: NPRM • Disclosures to carry out treatment, payment and health care operations as provided in §164.506 would continue to be exempt for paper records. • An individual would be able to obtain information (such as the name of the person accessing the information) for all access to E-PHI stored in a designated record set for purposes of treatment, payment and health care operations.
Section 13405(c): Accounting of Disclosures: NPRM • Excludes from the ACCOUNTING • disclosures about victims of abuse, neglect, or domestic violence under § 164.512(c); • disclosures for health oversight activities under § 164.512(d); • disclosures for research purposes under § 164.512(i); • disclosures about decedents to coroners and medical • examiners, funeral directors, and for cadaveric organ, eye, or tissue donation purposes under § 164.512(g) and (h); • disclosures for protective services for the President and • others under § 164.512(k)(3); and • most disclosures that are required by law (including disclosures to the Secretary to enforce the HIPAA Administrative Simplification Rules) • But, the forgoing is to be available in the ACCESS REPORT to the extent these disclosures are made through the EHR.
Section 13405(c): Accounting of Disclosures: NPRM • Content of the accounting: • The date, or approximate date or period of time during which the disclosure occurred which, at a minimum, shall include the month and year or a description of when the disclosure occurred from which an individual can readily determine the month and year of the disclosure; • The name of the entity or person who received the PHI and, if known, the address of such entity or person • Brief description of the type of PHI disclosed • Brief description of the purpose of the disclosure
Section 13405(c): Accounting of Disclosures: NPRM • Provision of the Accounting • CE must act on the individual’s request for an accounting no later than 30 days after receipt of such request • If the CE is unable to provide the accounting within that time, the CE may extend the time by no more than 30 days provided that (1) the CE provides a written statement of the reason for the delay and the date by which the CE will provide the accounting and (2) the CE may have only 1 such extension • CE must provide the accounting in the form and format requested by the individual (there are a few exceptions) • CE must provide the first accounting to an individual in any 12-month period without charge
Section 13405(c): Accounting of Disclosures: NPRM • Documentation of the Accounting: • CE or BA must retain the information required to be included in an accounting under this section for three years from the date of disclosure • CE must document and retain the following: • A copy of the written accounting that is provided to the individual • Titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals
Section 13405(c): Accounting of Disclosures: NPRM • Content of the Access Report: (likened to an audit log – as required under the Security Rule) • All disclosures AND USES of E-PHI in the designated record set (not limited to uses and disclosures made through the EHR). • CE must provide the individual with an access report that includes the following: • Date of access; time of access; name of natural person, description of what information was accessed; description of action by the user. • CE shall provide the individual with the option to limit the access report to a specific date, time period, or person.
Section 13405(c): Accounting of Disclosures: NPRM • Provision of the Access Report: • CE must act on the individual’s request for an access report no later than 30 days after receipt. • CE must provide the individual with the access report in a machine readable or other electronic form and format requested by the individual, if it is readily producible in such form and format. • CE must provide the first access report to an individual in any 12-month period without charge.
Section 13405(c): Accounting of Disclosures: NPRM • Documentation of the Access Report: • CE or BA must retain the information required to be included in an access report under this section for three years from the date of the use or disclosure.
Section 13405(c): Accounting of Disclosures (cont’d) • In processing a request for an accounting, the CE may elect: • An accounting of disclosures of the CE and BAs; or • An accounting of disclosures of the CE and a list of BAs the individual can contact with contact information.
Section 13405(d): Prohibition on the Sale of EHRs or PHI • A CE or BA shall NOT directly or indirectly receive remuneration in exchange for any PHI of an individual unless the CE obtains a valid HIPAA authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the receiver. • The prohibition does not apply to the following disclosures: • Public health activities (45 C.F.R. §164.512(b)) • Research purposes (45 C.F.R. §164.512(i)) and the price charged reflects the cost of preparation and transmittal of the data; • Treatment • Due diligence disclosures in connection with the sale or transfer of assets of a potential successor in interest • Disclosures to the BA • Access by the individual subject of the PHI • As otherwise determined by DHHS
Section 13405(d): Prohibition on the Sale of EHRs or PHI • Regulations were to be published by August 17, 2010 . . . Stay tuned. • Upshot? Review vendor contracts to be sure that appropriate BA language is part of the agreement.
Section 13405(e): Access to Certain Information in Electronic Format • In applying the Privacy Standards access provisions (45 C.F.R. §164.524), an individual has the right to obtain information in electronic format and direct the CE to provide it directly to an entity or person identified by the individual, provided the choice is clear, conspicuous and specific. • Any fee charged by the CE for such access cannot be greater than the CE’s actual labor cost. • NPRM implements this provision. • Upshot? • Update your Access policy/procedure to implement – work through issues related to how you will allow such access in a manner consistent with your security policies/procedures. • Update your Notice of Privacy Practices. • Note: Meaningful Use provisions require that access is provided within 3 days!
Section 13406(a): Conditions on Certain Contacts as Part of HCO: Marketing • Generally, a communication by a CE or BA that is about a product or service and that encourages recipients of the communication to purchase or use the product or service [shall not be considered a health care operation (“HCO”)][is marketing and prohibited unless you obtain an authorization] unless the communication is made: • that describes health-related products or services provided by the CE making the communication; • for the treatment of a patient; or • for case management or care coordination of a patient, or to direct or recommend alternative treatments, health care providers or settings of care to the patient.
Section 13406(a): Conditions on Certain Contacts as Part of HCO: Marketing • If the CE receives payment in exchange for any of those communications, then the communication is not a HCO (authorization required) except where: • Such communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication and any direct or indirect payment received by such CE (not for treatment) in exchange for making a communication is reasonable in amount; & • Where each of the following conditions apply: • The communication is made by the CE; and • The CE making the communication obtains from the recipient of the communication a valid HIPAA authorization; Or • Where each of the following conditions apply: • The communication is made by a BA on behalf of a CE; and • The communication is consistent with the written agreement between the BA and CE.
Section 13406(a): Conditions on Certain Contacts as Part of HCO: Marketing • Reasonable: DHHS to define by regulation. • Direct or Indirect payment: Does not include any payment for treatment as defined in 45 C.F.R. §164.501. • NPRM proposing significant changes in this provision to simplify . . .
Marketing and the July 14, 2010 NPRM • Revisions to better distinguish the exception for treatment communication form those communications made for health care operations; • Add a definition for “financial remuneration;” • Health care operations communications for which financial remuneration is received are marketing and require authorization; • Written treatment communications for which financial remuneration is received are subject certain notice and opt out requirements (include in the NPP); • Provide a limited exception for refill reminders; and etc. • Upshot? • Review your marketing activities and update your HIPAA marketing policies/procedures. • Too confusing!!! Stay tuned.
Section 13406(b): Conditions on Certain Contacts as Part of Health Care Operations: Opt out of Fundraising • Any written fundraising request shall include, in a clear and conspicuous manner, an opportunity for the individual to elect to opt out of receiving future fundraising communications. • Such election shall be treated as a revocation of a HIPAA authorization. • NPRM implements this provision. • Upshot? • Review your fundraising communications to assure that all communications include opt out language. • Monitor compliance with patients who do opt out.
Section 13408: BA Contract Required for Certain Entities • Requires the following entities to enter into a BAA with the CE: • Health Information Exchange Organizations; • Regional Health Information Organizations; • E-prescribing Gateway; and • Each vendor that contracts with a CE to allow the CE to offer a PHR to patients as part of its EHR. • Upshot: If you disclose PHI to HIEOs, RHIOs, or an E-prescribing Gateway, be sure to enter into a BAA with the entity.
Section 13409: Clarification of Application of Wrongful Disclosures Criminal Penalties • Amends 42 U.S.C. §1320d-6(a) to make it clear that the criminal penalties apply to employees and other individuals.