1 / 24

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES. February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq. Overview: The Privacy and Security Rules . HIPAA Privacy Regulations effective April 14, 2003(4) (“Privacy Rule”)

hayley
Download Presentation

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

  2. Overview: The Privacy and Security Rules • HIPAA Privacy Regulations effective April 14, 2003(4) (“Privacy Rule”) • HIPAA Security Regulations effective April 20, 2005(6) (“Security Rule”) • Rules apply to Health Plans, Health Care providers and Health Care Clearinghouses – HIPAA “Covered Entities” • Self-funded health plans (including HRAs, health flexible spending plans) required to fully comply with Privacy and Security Rules; fully-insured plans (group medical, dental vision policies) have limited compliance obligations because of limited PHI access.

  3. HIPAA’s Privacy and Security Rules Apply to “PHI” • Under the Privacy Rule, any unauthorized uses and disclosures of participants’ “PHI” by the Plan are prohibited • PHI Defined: information about past, present, or future physical or mental health condition, or payment for medical treatment, if the information identifies or could be used to identify the participant. Includes electronic information (“ePHI”) as well as any other form. • Does not include employment/FMLA records, disability insurance records, ADA information, drug screen results, or fitness for duty tests maintained by an employer outside of its role as Plan sponsor.

  4. Certain Uses and Disclosures of PHI Permitted • Uses and Disclosures between Covered Entities • Uses and Disclosures for Treatment, Payment, and Health Care Operations (“TPO”) • Uses and Disclosures to a Business Associate (organization providing administrative, consulting or other services to the Plan) if BA agreement in place • Uses and Disclosures pursuant to a valid HIPAA authorization

  5. Individual Rights Created; Compliance Steps Required • Individual rights include right to notice of privacy practices, right to request restrictions on PHI uses and disclosures, right to confidential communications, right to access and amend PHI, and right to accounting of disclosures. • Plan required to appoint Privacy Officer and Security Officer • Plan amendments required so Plan sponsor could access PHI • Standards related to scope of permitted disclosures (“minimum necessary standard”), marketing, sale and other uses of PHI implemented

  6. Privacy and Security Policies and Procedures Plan must adopt privacy and security policies and procedures to address its compliance with all aspects of HIPAA Privacy Rule and Security Rule, including: • How and to whom PHI will be used and disclosed, including a policy for identifying and entering into Business Associate agreements; • Which Plan employees will be authorized to access PHI; • How workforce training will be addressed; • How participant rights will be protected;

  7. Privacy and Security Policies and Procedures • How internal safeguards will be established (e.g. access controls, firewalls, encryption, password protection); • What policy and process will apply for complaints and sanctions related to HIPAA violations; • How administrative, technical and physical safeguards required by Security Rule will be addressed and implemented.

  8. Other Key HIPAA ConceptsPrior to HITECH Act • Business Associates (BAs) of Plans only obligated to comply with HIPAA as required in Business Associate agreements. • Informal Compliance Assistance provided by CMS and OCR; enforcement was not aggressive and health plan HIPAA audits were uncommon. • No Private Right of Action.

  9. HIPAA Changes in ARRA • HIPAA Privacy and Security Rules unchanged until the American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. • The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) amended HIPAA relating to electronic health records, breach notification, increased penalties and enforcement • Generally effective beginning February 17, 2010

  10. Key Change #1: Applicability of HIPAA Privacy & Security Rules to Business Associates • Business Associates (BAs) are now required to directly comply with the HIPAA Privacy and Security Rules similar to Covered Entities. • BAs directly subject to HIPAA’s civil and criminal penalties for HIPAA Privacy and Security Rule violations. • BAs previously bound only by terms of business associate agreements; breach of contract action by Plan only avenue to address violations.

  11. Key Change #2: The Breach Notification Regulations • Prior to HITECH, no legal requirement to affirmatively notify participants of incident involving the unauthorized use or disclosure of PHI; only required to inform participants if they asked. • New regulations make breach notification requirements effective as of September 23, 2009, and subject to sanctions for violations any time on or after February 22, 2010.

  12. A Breach Involving PHI A “Breach” occurs if: • An unauthorizedaccess,use or disclosure of PHI occurs, and • The access, use or disclosure compromises the security or privacy of the PHI. • Security or privacy is compromised if the use or disclosure “poses a significant risk of financial, reputational or other harm to the individual.” If an unauthorized use or disclosure is discovered, the Plan must perform a risk assessment to determine if the use or disclosure poses a significant risk of harm, thereby requiring notification.

  13. Exemptions from Breach Notification Requirements • “Secured” PHI • Encrypted (if electronic PHI) • Destroyed (if paper PHI) • A “Limited Data Set” with zip codes and birth dates removed • Certain disclosures between HIPAA covered entities and workforce members who have a duty to protect the information

  14. Required Action Steps in theEvent of a Breach Discovery of the Breach • Breach is considered discovered as of the 1st day of the breach being known by the Plan (or its agent), or when, by exercising reasonable diligence, it would have been discovered. • Knowledge of a breach by a workforce member or agent (BA) is attributed to the Plan • Time period begins to run upon knowledge of event occurring, even before risk assessment completed to determine if harm could result from incident.

  15. Notification of Breach to Individuals • Once privacy or security incident is discovered, Plan must complete a risk assessment to determine if harm to individuals could result from incident. • Factors to consider – who, what, why, when, how? Subjective analysis. • If harm possible, notification by Plan directly to individuals affected by breach is required no later than 60 calendar days after discovery of the breach.

  16. Notification to Media Outlets and Secretary of HHS • If Plan does not have contact information for 10 or more affected individuals, then Plan must post a conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. • If more than 500 residents of a state, Plan must notify prominent media outlets of the breach. (This is in addition to the individual notices mentioned above). • If more than 500 individuals’ PHI involved, then the Plan must immediately notify the Secretary of HHS of the breach; if less than 500 individuals’ PHI involved, Plan still must notify HHS, but may wait until 60 days after the end of the calendar year.

  17. Key Change #3: HeightenedCivil Enforcement • Under HITECH, civil penalties for HIPAA violations have increased, and HHS is required to investigate complaints of privacy and security breaches. • HHS has announced HIPAA audit initiative • Penalty Regulations effective on November 30, 2009, and apply to violations after February 17, 2010

  18. New Penalty Structure under Interim Final Regulations • Plan Unaware of Violation: minimum civil penalty is $100 per violation • Violation Due to Reasonable Cause: minimum is $1,000 per violation • Violation Due to Willful Neglect; Corrected Within 30 Days: minimum is $10,000 per violation • Violation Due to Willful Neglect; Not Corrected: minimum is $50,000 per violation Each level of penalty carries with it a maximum of $50,000 per violation, and an overall limit of $1,500,000 for identical violations in a calendar year.

  19. Criminal Liability Also Possible • Plan employees (as well as business associates) who obtain or disclose PHI without authorization may also be criminally liable. • Criminal liability generally extends to intentional harmful conduct for profit or personal gain.

  20. Key Change #4: Additional Legal Remedies for Breaches • In addition to criminal and civil penalties, the new law creates additional remedies: • State Attorney General may bring action for injunctive relief or damages on behalf of state residents adversely affected by HIPAA violation • Connecticut AG recently announced legal action for injunction/civil penalties against Health Net based on missing computer disk drive, and failure to take prompt action to mitigate/notify • Individuals may be awarded a percentage of civil monetary penalties collected for violations

  21. Key Change #5: Increased Restrictions and Individual Rights • “Minimum Necessary” disclosures restricted to “Limited Data Set unless impracticable; regulations expected • “Health Care Operations” definition will be modified to further restrict disclosures for TPO; regulations expected • Increased restrictions on marketing and sale of PHI • Changes made to individual rights – • Additional restrictions on provider disclosures to health plans (cash payments) • Changes related to Electronic Health Records (“EHRs”) • If EHRs used, Plan must account for all uses and disclosures • Requires Plans to provide PHI electronically if EHRs used

  22. Task List: Steps for HIPAA/HITECH Compliance • Revisit plan documents to ensure HIPAA required amendments are in place, and reissue Privacy Notice if necessary (required every 3 years). • Revise HIPAA policies to incorporate HITECH provisions, risk assessment and breach notification requirements, OR implement up-to-date HIPAA policies for all group health plans if not previously adopted. • Revisit Security Rule requirements to ensure administrative, technical, and physical safeguards in place, OR implement Security Rule requirements for ePHI if not previously completed.

  23. Task List: Steps for HIPAA/HITECH Compliance • Encrypt or password protect ePHI wherever practicable; review company policies for laptop computers and PDAs. • Identify and conduct training of workforce members handling PHI, provide additional training for new HITECH Act provisions. • Review workforce sanction policy (or implement if needed). • Ensure that Business Associate agreements are in place with all service providers handling PHI for the Plan, and that those agreements are updated for HITECH.

  24. QUESTIONS??? CONTACT INFORMATION • Katy Stowerscstowers@kdlegal.com (317) 238-6257 • Kristen Gentry kgentry@kdlegal.com (317) 238-6288

More Related