FIVE “EASY” STEPS FOR HANDLING NEW HIPAA REQUIREMENTS &MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois (c) 2013 James J. Eischen, Jr., Esq.
JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience as an attorney in California Experience in the healthcare field: medical groups, EHR firms, health coaching enterprises and healthcare products. Graduated from the University of California at Davis School of Law. Professional Memberships: San Diego County Bar Association Law & Medicine Section, Attorney-Client Relations Committee, State Bar Of California Section Member, AAPP Corporate Secretary (c) 2013 James J. Eischen, Jr., Esq.
STEP ONE Understand The Purpose Of HIPAA (c) 2013 James J. Eischen, Jr., Esq.
WHAT IS HIPAA? • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. • The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) establishes national standards for the protection of certain health information. • The Security Rule (Security Standards for the Protection of Electronic Protected Health Information) establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). • Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. (c) 2013 James J. Eischen, Jr., Esq.
KEY TERMS • “Unsecured” PHI • PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons specified by HHS • Encryption and destruction • ePHI • Electronic PHI • Breach • Acquisition, access, use or disclosure of PHI • PHI security or privacy is compromised (c) 2013 James J. Eischen, Jr., Esq.
STEP TWO Look At Basic HIPAA Compliance (Privacy And Security Rules) (c) 2013 James J. Eischen, Jr., Esq.
SECURITY RULE • Prior to HIPAA, no generally accepted federal security standards or general requirements for protecting health information. • New technologies evolving. Health care industry moves away from paper processes to electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. • Providers use clinical applications such as computerized physician order entry (COPE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. • Security Rule: Protects the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. • Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ ePHI. (c) 2013 James J. Eischen, Jr., Esq.
SECURITY RULE APPLIED • Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. • Specifically, covered entities must: • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit; • Identify and protect against reasonably anticipated threats to the security or integrity of the information; • Protect against reasonably anticipated, impermissible uses or disclosures; and • Ensure compliance by their workforce. (c) 2013 James J. Eischen, Jr., Esq.
PRIVACY RULE: CONFIDENTIALITY The Privacy Rule defines “confidentiality” to mean that ePHI is not available or disclosed to unauthorized persons. The Privacy Rule prohibits improper uses and disclosures of ePHI. (c) 2013 James J. Eischen, Jr., Esq.
SO, WHAT SECURITY MEASURES MUST BE IMPLEMENTED? • Security Rule does not dictate measures, but requires the covered entity to consider: • Its size, complexity, and capabilities, • Its technical, hardware, and software infrastructure, • The costs of security measures, and • The likelihood and possible impact of potential risks to e-PHI. • Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment. (c) 2013 James J. Eischen, Jr., Esq.
http://www.ama-assn.org/resources/doc/washington/hipaa-phi-encryption.pdfhttp://www.ama-assn.org/resources/doc/washington/hipaa-phi-encryption.pdf (c) 2013 James J. Eischen, Jr., Esq.
STEP THREE Evaluate What Changed With The Omnibus/Final Rule (c) 2013 James J. Eischen, Jr., Esq.
BEFORE AND AFTER OMNIBUS RULE • Before • BA regulated through BAAs • After • BAs and subcontractors regulated directly under HIPAA • BAs are CEs, and must comply with Security Rule (c) 2013 James J. Eischen, Jr., Esq.
EXPANDED DEFINITION OF CE • CE: On behalf of a covered entity (CE), creates, receives, maintains or transmitsPHI • Subcontractor of a BA • Role + responsibilities of BA = CE • BA requirements/exposure not defined simply because it is a party to a BAA (c) 2013 James J. Eischen, Jr., Esq.
NOT A BA • Those who simply provide “transmission services” • Digital couriers or “mere conduits” • But if you store personalized ePHI, even if you do not view it, you are a BA/CE (c) 2013 James J. Eischen, Jr., Esq.
SUBCONTRACTORS • Contract between the CE’s BA and the BA’s subcontractor must satisfy the BAA requirements • Subcontractor of a subcontractor of a subcontractor of a subcontractor all BAS • HIPAA/HITECH obligations apply to subcontractors (c) 2013 James J. Eischen, Jr., Esq.
OMNIBUS/FINAL RULE • All covered entities must review documentation including business associate agreements, notice of privacy practices, and their policies and procedures to ensure compliance with the Final Rule • BAA and NPP MUST BE UPDATED (c) 2013 James J. Eischen, Jr., Esq.
PRESUMPTION OF BREACH • Interim Final Rule • Risk assessment to determine if unauthorized ePHI access, use or disclosure caused harm • No presumption of a breach • Final Rule • Unauthorized access, use or disclosure presumed to be a breach unless CE determines low probability ePHI was compromised (c) 2013 James J. Eischen, Jr., Esq.
POTENTIAL BREACH EVALUATION • CE must evaluate • Nature and extent of ePHI • Unauthorized person who used ePHI • Whom disclosure was made • ePHI actually viewed or acquired • How risk was mitigated • DOCUMENT, DOCUMENT, DOCUMENT • AND THEN DOCUMENT SOME MORE (c) 2013 James J. Eischen, Jr., Esq.
BREACH NOTIFICATION • BA must provide notice of breach • To CE • Breach treated as discovered as of 1st day when known or would have been known • When by exercising reasonable diligence would have breach been known? • Subcontractor BA gives notice to BA (c) 2013 James J. Eischen, Jr., Esq.
ELECTRONIC ACCESS • “Reasonable” safeguards • If PHI owner wants PHI sent unencrypted, CE needs to let individual know of risks • DOCUMENT ePHI OWNER’S CONSENT • Secure mechanism • Electronic “machine readable copy” • Can be used on a computer • PDFs • If a PHI owner asks for specific format, CE needs to accommodate when possible (c) 2013 James J. Eischen, Jr., Esq.
FEES CHARGED FOR ELECTRONIC RECORDS? • Labor costs only • Retrieval costs or capital costs not allowed to be charged • Supplies upon request can be charged • Best practice is to list fees on authorization/consent form itself (c) 2013 James J. Eischen, Jr., Esq.
ACCESS TO THIRD PARTIES • Individual can request CE to send ePHI to another individual • In writing • Electronic OK but verification needed • Identify who is the receiver • PHI must still be protected when sent to third party (c) 2013 James J. Eischen, Jr., Esq.
RESTRICTIONS/ACCOUNTING RULE • Individual can restrict ePHI to health plan when paying out of pocket in full for a service (Accounting Rule) • CE need to develop how to track restrictions • CEs submit restricted ePHI for required audits when “required by law” (c) 2013 James J. Eischen, Jr., Esq.
STEP FOUR Identify Necessary HIPAA Compliance Steps (c) 2013 James J. Eischen, Jr., Esq.
Update Your Documentation! (c) 2013 James J. Eischen, Jr., Esq.
HIPAA COMPLIANCE: BASIC DOCUMENTATION • Notice of Privacy Practices (NPP) • Business Associate Agreement (BAA) • Internal risk analysis memo • Practice’s written office procedures and processes must be examined thoroughly • Evaluate risks and decide how to address those risks (c) 2013 James J. Eischen, Jr., Esq.
SO, WHAT DO I DO? • Update BAA • Update NPP • Update internal risk assessment memo • Ensure electronic records access not subject to unlawful charges (c) 2013 James J. Eischen, Jr., Esq.
STEP FIVE Electronic Communications, Scheduling & Records Management (c) 2013 James J. Eischen, Jr., Esq.
HIPAA/PRIVACY COMPLIANCE WITH ELECTRONIC COMMUNICATIONS • Electronic data storage of any kind = HIPAA (c) 2013 James J. Eischen, Jr., Esq.
SHOULD MY PHYSICIAN-PATIENT AGREEMENT DEAL WITH ELECTRONIC COMMUNICATIONS • Not recommended! • Need separateePHI agreement for risk management/HIPAA compliance • HIPAA Final Rule: Non-compound ePHI consent (c) 2013 James J. Eischen, Jr., Esq.
CHECK MARKETING/PRACTICE COMMUNICATION PLATFORMS FOR COMPLIANCE • Website • Calendar/Scheduling • FAQs • Patient letters • Staff training!!! • Is this all really necessary? (Hint—The correct answer is not “no”) (c) 2013 James J. Eischen, Jr., Esq.
So What Can Go Wrong Anyway? Case Study: Arizona Cardiologist Fined $100,000 and ordered to take corrective action to implement policies and procedures to safeguard the protected health information of its patients. (c) 2013 James J. Eischen, Jr., Esq.
WHAT WENT WRONG? • Inadequate internal risk analysis • Lack of staff training • No BAA with outside IT vendor for web calendar • Bottom Line: an internal risk analysis memo and awareness of patient privacy rights can avoid fines/penalties http://www.healthcareitnews.com/news/phoenix-practice-pay-100000-settle-hipaa-case (c) 2013 James J. Eischen, Jr., Esq.
Questions? James J. Eischen, Jr., Esq. Office: (619) 819-9655 Email: firstname.lastname@example.org Skype: jeischenjr http://www.assessmentandplan.com http://www.higgslaw.com (c) 2013 James J. Eischen, Jr., Esq.