Gwinnett Managed Care, Inc. Final HIPAA Privacy and Security Rules July 10, 2013 Richard D. Sanders The Sanders Law Firm, P.C. 7 Piedmont Center, Suite 300 3525 Piedmont Road Atlanta, Georgia 30305 (404) 364-1819 email@example.com
Overview • Background for HIPAA Changes • Review New HIPAA Breach Notification Rules • Summary of key provisions of the Final Rule
HITECH Revisions Breach Notification • Description of Breach Notification Requirements – Pre-HITECH • Breach Notification – Interim Final Rule Provisions – August 24, 2009 • Guidelines for Risk Analysis • HITECH Revisions to Enforcement and Penalties • FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules • Breach….or No Breach • Final Rule issued January 25, 2013; to be effective March 26, 2013
HITECH Revisions Breach Notification • Scope of Notification Requirements • Applies to Privacy Rule breaches involving both electronic and paper records • “Breach” means the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information (at 45 C.F.R. §164.402) • Under the Final Rule any use or disclosure of unsecured PHI not permitted under the HIPAA Privacy Rule is presumed to be a breach requiring patient notification unless the Covered Entity or Business Associate demonstrates that there is “a low probability that the protected health information has been compromised."
HITECH Revisions Breach Notification • Exceptions to “Breach” Definition • Unintentional access to PHI by workforce member or other individual acting under the authority of a CE or BA if: • Good faith access and within the scope of authority of CE/BA; and • Information not further acquired, accessed, used or disclosed by such person in manner not permitted by Privacy Rule • Inadvertent disclosure by person authorized to access CE’s or BA’s PHI to another similarly situated person at same CE, BA or OHCA and PHI not further used in manner not permitted by Privacy Rule • Disclosure of PHI to unauthorized person if CE/BA has good faith belief that such person could not reasonably be able to “retain” such information • The Final Rule removes the exception for limited data sets that do not contain zip codes and dates of birth.
HITECH Revisions Breach Notification • Unsecured PHI Guidance • HITECH defines “Unsecured PHI” as PHI not secured through use of technology or methodology required in HHS guidance to render PHI “unusable, unreadable or indecipherable to unauthorized individuals” • HHS issued guidance April 27, 2009, identifying two methods to secure and render PHI unusable, unreadable or indecipherable to unauthorized individuals: • encryption and destruction • HHS update of guidance required annually
HITECH Revisions – Breach Notification • Clarified meaning of “data” - in motion, at rest, in use and disposed • Encryption: • Successful use depends upon strength of encryption algorithm (computer program) and security of the decryption key or process • Two approved processes: • For data considered to be “at rest” – NIST Special Pub 800-111, Guide to Storage Encryption Technologies for End User Devices • For data considered to be “in motion” – Federal Information Processing Standards (FIPS) 140-2 • Exhaustive methods, not illustrative • Destruction: • PHI in written form will be “secured” if materials shredded or destroyed and PHI cannot be read or otherwise reconstructed • PHI in electronic form will be “secured” if information cleared, purged or destroyed consistent with NIST Special Pub 800-88, Guidelines for Media Sanitization, such that PHI cannot be retrieved
HITECH Revisions – Breach Notification • Updated HHS Guidance on Securing PHI • In the preamble to the regulations for breach notification, HHS updated its guidance on “securing” PHI. • HHS: • Rejected access controls, such as firewalls, as a method for securing PHI. • Rejected redaction as a means of securing PHI, and clarified that only the destruction of paper PHI will render that PHI secure. • Clarified that encryption keys must be kept on a separate device from the data that they encrypt or decrypt. • Reiterated its reliance on certain NIST standards as meeting the encryption standards required to secure PHI.
HITECH Revisions – Breach Notification • Discovery of Breach – Section 164.404(2) • On first day that known or by exercising reasonable diligence could have been known (except by person committing breach) to CE or BA • CE/BA “deemed” to know when breach known or by exercising reasonable diligence could have been known to any workforce member or CE agent • Meaning of “agent” determined by federal common law of agency
HITECH Revisions Breach Notification • Notice to Individuals – Section 164.404 • CEs must notify individuals if “unsecured PHI” has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of a “breach” • Written Notice • Sent via first class mail unless the individual has specified a preference for e-mail • Substitute Notice • If insufficient or out-of-date information for individual or if notice is returned undeliverable, CE must provide substitute notice • If fewer than 10 individuals involved, notice may be by phone or other means • If 10 or more individuals involved, notice must be by conspicuous posting for 90 days on CE Web site or in major print or broadcast media where affected individuals reside • Must include toll-free phone number active at least 90 days • Notice must be reasonably calculated to reach individual • Urgent Notice • If possibility of imminent misuse of unsecured PHI, notice required by telephone or other appropriate notice plus written notice
HITECH Revisions Breach Notification • Timing of Notice to Individuals by CE – Section 164.404(b) • Must be made without unreasonable delay and in no case later than 60 calendar days after unsecured PHI breach discovery • Content of CE Notice to Individual – Section 164.404(c) • The notice must include: • Description of breach (what happened including date of breach) • Types of information involved (such as SS#, DOB, address) • Mitigation, investigation, protective steps by CE • Steps for individuals to take for protection • Contact information to ask questions or obtain more information (must include toll-free number, email address, Web site or postal address)
HITECH Revisions Breach Notification • Notice to Media – Section 164.406 • If breach involves unsecured PHI of more than 500 individuals in state or jurisdiction, CE must notify prominent media outlets • Notice must be given without unreasonable delay and no later than 60 calendar days after breach discovery • Depending on the circumstances, an appropriate media outlet may include a local television station or a major general interest newspaper with a daily circulation throughout an entire state • Notice to Secretary – Section 164.408 • If breach involves unsecured PHI of more than 500 individuals • Immediately, meaning without unreasonable delay and no later than 60 calendar days after breach discovery • CEs listed on HHS Web site • If breach involves unsecured PHI of fewer than 500 individuals • CEs must maintain log of breaches and submit annual report of breaches to Secretary • Date for submission will be identified on HHS Web site and will be no later than 60 days after end of each CY • Report to Congress • HHS must annually report breaches to Congress
HITECH’S Revisions to Enforcement and Penalties • HITECH Revisions • Enforcement • HHS, specifically OCR, must formally investigate any complaint of HIPAA violation if initial investigation indicates breach due to willful neglect – effective February 17, 2011 • Required to impose CMP if willful neglect found • OCR will perform audits of CEs and BAs (probably not random onsite visits) – beginning February 2010 • Effective February 17, 2009 - State attorneys general may bring civil actions in federal court for HIPAA violations • HHS may intervene • AGs may seek injunction or damages • Only if HHS has not initiated lawsuit
HITECH’s Revisions to Enforcement and Penalties • Penalties (As per statute and October 30, 2009 Interim Final Rule) • Applicable to CEs – February 18, 2009 • Applicable also to BAs – February 17, 2010 • Original bases for civil enforcement retained with increased penalties • Penalties based on intent – state of mind • CMPs collected transferred to OCR for purposes of enforcing the Privacy and Security Rules • OCR will consult with GAO to develop system within 3 years to provide percentage of CMPs/settlement to individuals harmed • Non-CEs (e.g., employees of CEs) may violate HIPAA if PHI maintained by CE is obtained or disclosed by person without authorization • Criminal penalties • Broad language
HITECH’s Revisions to Enforcement and Penalties • Penalties (cont’d): • Applies a tiered approach to CMPs • Unknown or with reasonable due diligence would not have known: • Not less than $100 or more than $50,000 for each violation OR • In excess of $1.5 million for identical violations during a calendar year • Reasonable cause that is not willful neglect: • Not less than $1,000 or more than $50,000 for each violation OR • In excess of $1.5M for identical violations during a calendar year • Willful neglect and violation corrected within 30 day cure period: • Not less than $10,000 or more than $50,000 for each violation OR • In excess of $1.5M for identical violations during a calendar year • Willful neglect and the violation not corrected within 30 day cure period: • Not less than $50,000 OR • In excess of $1.5M for identical violations during a calendar year
Proposed Rule Change for HIPAA/HITECH Notice of Privacy Practices • The components of HIPAA Notice of Privacy Practices require new notices regarding marketing and fundraising • Authorization is required for any disclosure of PHI that is made in exchange for direct or indirect remuneration, unless a specified exception applies
Proposed Rule Change for HIPAA/HITECH Additional Issues • Privacy protection extends only 50 years after the death of the patient • Covered entities can charge patients for costs associated with providing and individual ePHI on electronic media
Final Rule Change for HIPAA/HITECH Effective Date2013 RULE CHANGES • The Department of Health and Human Services issued the HIPAA/HITECH Act Omnibus Final Rule January 25, 2013 (the “Final Rule”). • The Final Rule is effective March 26, 2013. • Covered Entities will be required to comply with most provisions by September 23, 2013.
HIPAA/HITECH ACT OMNIBUS FINAL RULE2013 RULE CHANGES Breach Notification: • The Final Rule revises the definition of a “breach” and the standard for determining patient notification is required. • The Final Rule replaces the harm threshold with a probability of PHI being compromised threshold. • Any use or disclosure of PHI is presumed to be a breach requiring patient notification unless there is “a low probability that the protected health information has been compromised.”
HIPAA/HITECH ACT OMNIBUS FINAL RULE2013 RULE CHANGES Breach Notification Cont.: • When determining whether there is a low probability that PHI has been compromised, Covered Entities must take into account four (4) factors: • The nature and extent of the PHI involved; • The unauthorized person who used the PHI or to whom the PHI was disclosed; • Whether the PHI was actually acquired or viewed; and • The extent to which the risk to the PHI has been mitigated.
HIPAA/HITECH ACT OMNIBUS FINAL RULE CONT.2013 RULE CHANGES Business Associates and Contractors: • Under Final Rule, Business Associates and Contractors are now required to comply with HIPAA Security Rule. • The Final Rule provides a transition period of an additional year for Business Associate Agreements (“BAA’s”) that are currently in existence to be in compliance with the Rule. • For Example: BAA’s that existed prior to January 25, 2013, and that are not renewed or modified during the period from March 26, 2013 to September 23, 2013, the deadline to comply with Final Rule will be the earlier of the date on which the BAA is renewed or modified; or September 22, 2014.
HIPAA/HITECH ACT OMNIBUS FINAL RULE CONT.2013 RULE CHANGES Revised Privacy Notices: • Under the Final Rule, Privacy Notices must now grant the recipient the right to receive the breach notification. • Covered Entities must obtain patient authorization before using PHI for marketing purposes and before selling PHI. • Covered Entities will need to provide a revised Notice of Privacy Practices to individuals.
Richard D. Sanders The Sanders Law Firm, P.C. 3525 Piedmont Road Atlanta, Georgia 30305 (404) 364-1819 firstname.lastname@example.org THANK YOU!!! 23