HIPAA Omnibus Rule: First Look

1

Kim C. StangerHolland & Hart LLP

HIPAA Omnibus Rule: First Look

Holland & Hart LLP

Preliminaries

Written materials.– Copy of .ppt slides.– Copy of HIPAA Omnibus Rule is scheduled to be

published in Federal Register on January 25, 2013.– Available at www hollandhart comAvailable at www.hollandhart.com.

Presentation will be recorded and available for download at www.hhhealthlawblog.com.

If you have questions, please submit them using chat line or e-mail me at [email protected].

If you experience technical problems during the program, please contact Luke Kelly at [email protected].

Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com

2

Preliminaries

Lots to cover in short time. This presentation summarizes significant changes in

HIPAA; it does not cover all of HIPAA. Read the rules and commentary when applying the new

rules. We are still synthesizing the new rules. More stringent state or federal laws may apply.

This program does not establish an attorney-client relationship.

This program does not constitute the giving of legal advice.

Background

2003: HIPAA Privacy and Security Rules 2008: Genetic Information Nondiscrimination Act (GINA)

– 2009: Proposed GINA Rules 2009: HITECH Act

2009: Interim Breach Notification Rule– 2009: Interim Breach Notification Rule– 2009: Interim Enforcement Rule– 2010: Proposed HITECH Act Rules

January 17, 2013: HIPAA Omnibus Rule– Modified and finalized interim and proposed rules.– Implemented additional rules required by HITECH and

GINA.

Omnibus Rule:Significant Changes

Breach notification standards Business associate requirements Limits on disclosures to health insurers Marketing limits Fundraising limitsg Sale of PHI restrictions Disclosures regarding deceased persons Disclosures for school immunizations Patient rights to electronic health info Notice of privacy practices requirements Limits on using genetic info in underwriting Compound authorizations for research


3

Deadlines

New rules are effective March 26, 2013. Covered entities and business associates must

comply with new rules by September 23, 2013.– Extended compliance deadline by 180 days.– In the meantime, existing interim rules still

apply. Covered entities generally are not required to

modify existing, compliant business associate agreements until September 23, 2014.

Enforcement(45 CFR 164.300-.400)

Enforcement

Omnibus Rule generally finalized the existing interim rule that has been in place since 2009.

Penalties apply to covered entities and business associates.

OCR will investigate every case if preliminary review indicates possible HIPAA violation due to willful neglect.

OCR may investigate cases in which violation appears to be caused by other factors.

(160.300-.400)


4

Civil Penalties

Conduct Penalty

Did not know and should not have known of violation

• $100 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days • OCR may waive or reduce penalty

Violation due to reasonable • $1000 to $50,000 per violationViolation due to reasonable cause

$1000 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days• OCR may waive or reduce penalty

Willful neglect, but correct w/in 30 days

• $10,000 to $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory

Willful neglect,but do not correct w/in 30 days

• At least $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory

(160.404)

Civil Penalties

For violations that do not involve willful neglect, may avoid penalties if correct within 30 days.

30-day deadline runs from the date the entity knew, or by exercise of reasonable diligence,

ld h k f th i l tiwould have known of the violation.– May be liable for knowledge of agents acting within

scope of their authority.– External notification of noncompliance is not required;

internal indications of potential noncompliance may provide sufficient knowledge.

(160.410)

Civil Penalties

Number of violations depends on circumstances.– A breach affecting a number of individuals: each

affected individual would constitute a separate violation.– Failure to implement safeguard: each day of

noncompliance would be separate violationnoncompliance would be separate violation.– Single incident may result in multiple violations, e.g.,

improper disclosure may result from failure to implement required policies or safeguards.

Violations and penalties may add up quickly.


5

Civil Penalties

Amount of penalties depends on factors.– Nature of violation.– Number of individuals affected.– Time period during which the violation occurred.

N t d t t f h h i l h– Nature and extent of harm, e.g., physical harm, reputational harm, impaired ability to get health care.

– History of prior compliance and corrective action.– Financial condition of entity.– Size of the entity.– Other matters as justice requires.

(160.408)

Criminal Penalties

Applies if employees or other individuals obtain or disclose protected health info from covered entity without authorization.

Conduct Penalty

Knowingly obtain info in violation of the law • $50,000 fine• 1 year in prison

Committed under false pretenses • 100,000 fine• 5 years in prison

Intent to sell, transfer, or use for commercial gain, personal gain, or malicious harm

• $250,000 fine• 10 years in prison

(42 USC 1320d-6(a))

Breach Notification(45 CFR 164.400 et seq.)


6

Breach Notification

If there is a breach of unsecured PHI, covered entity must notify:– Individual or personal representative.– HHS.– Local media if breach involves more than 500

persons. Business associate must notify covered entity. Breach notification rules are subject to certain

exceptions.(164.400 et seq.)

Breach Notification

Old Rule: Only requires covered entities and business associates to report a breach if there is a significant risk of financial, reputational or other harm to the individual.

“N h f l” t d d– “No harm, no foul” standard.(164.402, definition of “breach”)

Members of Congress and privacy advocates objected to the harm standard.

Breach Notification

New Rule: Acquisition, access, use or disclosure of PHI in violation of privacy rules is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk passessment of the following factors:– nature and extent of PHI involved;– unauthorized person who used or received the PHI;– whether PHI was actually acquired or viewed; and– extent to which the risk to the PHI has been

mitigated.(164.402, definition of “breach”)


7

Breach Notification

“Breach notification is necessary in all situations except– “those in which the covered entity or business

associate … demonstrates that there is a low probability that the [PHI] has been compromised, or“one of the other exceptions to the definition of– one of the other exceptions to the definition of breach applies”, i.e.,

unintentional internal access to PHI. inadvertent disclosure of PHI to a person

authorized to access PHI. recipient not reasonably able to retain PHI.

(164.402)

Breach Notification

When is PHI “compromised”? The PHI is acquired, accessed, used or disclosed?

– HHS noted “there are situations in which unauthorized acquisition, access, use or disclosure of [PHI] is so inconsequential that it does not warrant notification ”inconsequential that it does not warrant notification.

– Whether the PHI was actually acquired or viewed is only one factor in the risk assessment.

– HHS recognized that requiring notice in all situations where PHI was accessed, acquired, used or disclosed would be too burdensome and would unduly trouble patients.

Breach Notification

When is PHI “compromised”? The acquisition, access, use or disclosure would result in

potential harm?– HHS repeatedly affirmed that it was removing the harm

standardstandard.– HHS noted, “Considering the type of [PHI] involved in

the impermissible use or disclosure will help entities determine the probability that the [PHI] could be used by an unauthorized recipient in a manner adverse to the individual or otherwise used to further the unauthorized recipient’s own interests.”


8

Breach Notification

When is PHI “compromised”? “Compromise: (a) to expose to suspicion, discredit, or

mischief; (b) to reveal or expose to an unauthorized person….” (Merriam-Webster Dictionary)

“Compromise: To lay open to suspicion disrepute etc ”Compromise: … To lay open to suspicion, disrepute, etc. (Webster’s New Dictionary (2003))

“Compromise: To expose or make liable to danger, suspicion, or disrepute.” (The Free Dictionary)

Probably involves both the potential for (1) unauthorized access, acquisition, use or disclosure, and (2) misuse.

Focus seems to be on actual or potential for misuse of PHI, not harm to individual.

Breach Notification

Risk assessment factors1. Nature and extent of PHI involved, including types of

identifiers and the likelihood of re-identification.2. Unauthorized person who used PHI or to whom

disclosure was madedisclosure was made.3. Whether PHI was actually acquired or viewed.4. Extent to which the risk to the PHI has been mitigated.5. Other factors as appropriate under the circumstances.

(164.402) Risk assessment is unnecessary if make report.

Breach Notification

Based on commentary, following situations likely involve lower probability that PHI would be compromised.– Fax sent to wrong physician, but physician reports fax

and confirms he has destroyed it.– Disclosure to or use by persons who are required by y p q y

HIPAA to maintain confidentiality.– Disclosure of info without identifiers or to entity that

lacks ability to re-identify the PHI.– Stolen laptop recovered and analysis shows that PHI

was not accessed. But must evaluate all factors.


9

Breach Notification

Based on commentary, following situations likely involve higher probability that PHI is compromised.– Disclosure involves financial data (e.g., credit card

numbers, SSN, etc.), sensitive info (e.g., STDs, mental health, or other info), or detailed info (e.g., treatment plan, di i di ti di l hi t t t lt )diagnosis, medication, medical history, test results).

– Disclosure involves list of patient names, addresses, hospital IDs.

– Info mailed to wrong individual who opened and read it; person is not a covered entity or business associate.

But must evaluate all factors. HHS will issue future guidance regarding common scenarios.

Breach Notification

Old Rule: no breach if disclosed info in limited data set minus birthdates and zip codes.

New Rule: “minimum data set” exclusion is eliminated.– General rule applies to “minimum data set” PHI.– Must perform risk assessment to determine whetherMust perform risk assessment to determine whether

breach is reportable.

Violations of minimum necessary standard may constitute a breach.– Subject to risk assessment, including fact that recipients

of PHI may be obligated to maintain confidentiality.

Breach Notification

No breach notification required if:– Low probability that PHI would be compromised.– No privacy rule violation. “Incidental disclosures” do not violate the privacy rule.

PHI is “secured” i e encrypted per HHS standards– PHI is secured , i.e., encrypted per HHS standards.– Exception applies, i.e., Unintentional acquisition of PHI by workforce member

acting in good faith and no further use or redisclsoure. Inadvertent disclosure by authorized person to another

person authorized to access the PHI. Unauthorized recipient of PHI is unable to retain PHI.

Covered entity has burden of proof.


10

Breach Notification

Unless we receive further clarification, safer to err on the side of reporting all but clearly “inconsequential” breaches.– Covered entity has burden of proving “low probability that

PHI has been compromised.”– Failure to report may be viewed as willful neglect resulting in

mandatory penalties.– Timely report is unlikely to result in penalties for the incident

that triggered notification, but… Reporting still creates risk that OCR will find additional

violations during its investigation, e.g., absence of required policies or safeguards.– Blue Cross/Blue Shield of Tennessee– Paid $1.5 million after self-disclosure

Breach Notification

Covered entity must report breach to individual and, if breach involves > 500 persons, to HHS by no later than 60 days after breach is discovered or, through exercise of reasonable diligence, should have been discovered.– Liable for knowledge of agents acting within their scope

of duties.– Must investigate and report without unreasonable delay;

cannot wait until end of 60 days if circumstances would require otherwise.

– Train workforce and business associates to report promptly.

(164.402(a)(2))

Breach Notification

Old Rule: If breach involved less than 500 individuals, must report to HHS no later than 60 days after the calendar year in which the breach occurred.N R l If b h i l d l th 500 New Rule: If breach involved less than 500 individuals, must report to HHS no later than 60 days after the calendar year in which the breach was discovered.

(164.406(c))


11

Business Associates

Business Associates

Business associate = entity that creates, receives, maintains or transmits PHI in performing certain functions on behalf of a covered entity.– Not workforce members.

Not healthcare providers for purposes of treatment– Not healthcare providers for purposes of treatment.– Not covered entities when participating in an organized

health care arrangement.(160.103, definition of “business associate”)

Business Associates

New Rule: “business associate” includes– Subcontractors of business associates.– Entities that provide data transmission services and

require routine access to the PHI, e.g., health info organizations or e-prescribing gatewayorganizations or e prescribing gateway. Not entities that merely act as conduits, e.g., U.S.

Postal Service or United Parcel Service.– Vendors hired by covered entity to provide personal

health records.– Data storage companies.– Patient safety organizations (“PSOs”).

(160.103)


12

Business Associates

Old Rule: HIPAA does not apply directly to business associates.– Business associate agreement was required to

ensure business associate compliance.– Business associates were not subject to

regulatory penalties.

Business Associates

New Rule: HIPAA applies directly to business associates and their subcontractors.– Must comply with many privacy and security rules. Limit use or disclosure of PHI. Security risk assessmentSecurity risk assessment. Administrative, physical and technical safeguards

required by security rule. Execute agreements with subcontractor. Notify covered entities of breaches.

– Subject to HIPAA penalties if fail to comply. Still subject to business associate agreements.(164.300 et seq., .400 et seq., .502(e), .504(e))

Business Associates

Business associate agreements.– For new or renewed contracts: modify

agreement to address new requirements.– For compliant contracts in existence as of

1/17/13 that do not renew before 9/23/13: must comply by 9/23/14.

(164.532(d)-(e))


13

Business Associates

Covered entity is liable for acts of business associate if business associate is acting as the covered entity’s agent.– Apply federal common law of agency.

Primary factor is whether covered entity had the right to– Primary factor is whether covered entity had the right to control the business associate’s conduct. Covered entity authority to give interim directions. Relative size or complexity of parties. Ability of covered entity to perform the services. Business associate acting within scope of contract.

(160.402)

Deceased Persons

Deceased Persons

Old Rule: HIPAA applies to PHI of deceased persons perpetually.– Use or disclosure generally requires

authorization from decedent’s personal t tirepresentative.

– Personal representative = executor, administrator, or other person with authority under state law to act on behalf of decedent or decedent’s estate.

(164.502(f)-(g)(4))


14

Deceased Persons

New Rule: HIPAA only applies for 50 years after the decedent’s death.– Not required to maintain records for 50 years.– Does not affect separate research exception

that allows earlier disclosure in some circumstances.

(164.502(f))

Deceased Persons

New Rule: May disclose info about deceased patient to family members and others involved in patient’s healthcare or payment for care if:– Disclosure is not inconsistent with prior

d i h f ti t dexpressed wishes of patient, and– PHI is relevant to person’s involvement in

patient’s healthcare or payment for care.(164.510(b)(5)) May still disclose to deceased person’s personal

representative.

School Immunizations


15

School Immunizations

New Rule: Covered entity may disclose proof of immunization to a school where state or other law requires the school to have such info prior to admitting the student if covered entity obtains oral agreement from:agreement from:– Emancipated patient, or– If patient is not emancipated, from the parent,

guardian or other person acting in loco parentis. Covered entity must document agreement.(164.512(b)(1))

Restrictions on Disclosure of PHI to Health Insurers


Old Rule: Patients generally have right to request restrictions on use or disclosure of PHI for purposes of treatment, payment or healthcare operations, but covered entity is not required to agree to such restrictionsagree to such restrictions.

(164.522(a))


16


New Rule: Covered entity must agree to the request of a patient to restrict disclosure of PHI about the patient to a health plan if:– PHI pertains to health care item or service for

hi h th ti t th thwhich the patient, or another person on the patient’s behalf, paid the covered entity in full; and

– Disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law.

(164.522(a)(1)(vi))


HHS acknowledged the operational problems with new rule, but concluded providers should already have methods to flag records under minimum necessary standard.

Rule does not apply if disclosure is otherwise required by law, e.g., Medicare audits.

If cannot unbundle bill, notify patient they must pay entire bill to trigger rule.

Patient is responsible for notifying downstream providers. Provider may require payment in full before patient may

invoke the requirement. Only applies to disclosures to health insurers, not others.

Sale of PHI


17

Sale of PHI

New Rule: Cannot sell PHI unless obtain patient’s prior written authorization and the authorization discloses whether covered entity will receive remuneration in exchange for PHI.“S l f PHI” di l f PHI b d tit “Sale of PHI” = disclosure of PHI by covered entity or business associate if they receive (directly or indirectly) any remuneration (financial or otherwise) from or on behalf of the recipient of the PHI in exchange for the PHI.

(164.502(a)(5) and .508(a)(4))

Sale of PHI

Does not apply to disclosures:– for treatment or payment purposes.– as part of sale of covered entity.– to business associate and payment is for business

associate’s dutiesassociate s duties.– for purposes allowed by HIPAA and payment is

reasonable cost-based fee to transmit PHI.– Recovery of fees allowed by law.

Per commentary, does not apply to:– payments to provide services or grants.– payments to participate in health information exchange.

(164.502(a)(5) and .508(a)(4))

Marketing


18

Marketing

Use or disclosure for purposes of marketing generally requires patient’s authorization.

Old Rule: “marketing” does not include communications about covered entity’s own products or services or certain communications for purposes of treatment or healthcare operations.

(164.508(a))

Marketing

New Rule: If covered entity receives financial remuneration from third party in exchange for making communication about the third party’s items or services, then the following are “marketing” and covered entity must obtain patient’s authorization to use or disclose PHI to market:

provide refill reminders or communicate about drug– provide refill reminders or communicate about drug currently being prescribed unless remuneration is related to cost of making the communication.

– for treatment purposes, including case management, care coordination, or recommendations for treatment alternatives, providers, etc.

Authorization must disclose that covered entity is receiving remuneration.(164.508(a))

Marketing

New Rule: Even though covered entity receives financial remuneration, authorization is not required if:– communication for treatment, healthcare operations or

other marketing occurs in face-to-face communication with patient, or

– consists of promotional gift of nominal value provided by the covered entity.

Authorization would be required for such communications via telephone or e-mail since they are not “face-to-face”.

(164.508(a))


19

Fundraising

Fundraising

Old Rule: Covered entity may disclose demographic PHI to an institutionally related foundation for fundraising purposes without patient’s authorization if:

N tif ti t i th d tit ’ ti f– Notify patients in the covered entity’s notice of privacy practices, and

– Give recipients an opportunity to opt out.(164.514(f))

Fundraising

New Rule: Covered entity may disclose following demographic PHI:– Name, address, contact info, age, gender and birthdate.– Dates of healthcare provided by covered entity.

D t t f i– Department of service.– Treating physicians.– Outcome information.– Health insurance status.

(164.512(f)(1))


20

Fundraising

New Rule: To use PHI for fundraising, covered entity must:– Include statement notifying patient of fundraising in

covered entity’s notice of privacy practices.– With each fundraising communication, provide clear and

conspicuous opportunity to opt out of fundraising.p pp y p g– Method for opting out cannot cause undue burden or

more than nominal cost (e.g., toll-free number, e-mail). Cannot condition treatment on participation in fundraising. Cannot make fundraising communications to individuals

who opt out. May notify individuals of method to opt back in.(164.512(f)(1))

Patient Access to PHI


Old Rule: Covered entities had up to 60 days to respond to request to access records if records maintained offsite.

New Rule: Extension for off-site records is d l t ddeleted. – Covered entities must generally respond to request for

access within 30 days.– May obtain one 30-day extension.

(164.524(b)(2)(ii))


21


New Rule: If PHI is maintained in electronic form and patient requests electronic version of the PHI:– Covered entity must provide the PHI in form and format

requested by patient if it is readily producible.If PHI is not readily producible in requested form– If PHI is not readily producible in requested form, covered entity must provide it in a form as agreed by the covered entity and patient.

– If covered entity requests that PHI be sent to another person, covered entity must comply so long as request is in writing, signed by patient, and identifies recipient.

– May charge reasonable cost-based fee, including labor.(164.524(c))

Notice of Privacy Practices


New Rule: In addition to items currently required, must add items to notice of privacy practices.– Authorizations are required for most uses and disclosures

of psychotherapy notes (if applicable), marketing purposes, and sale of PHI.pu poses, a d sa e o

– Uses and disclosures not described in notice require authorizations.

– Patient may opt out of fundraising.– Patient may restrict disclosures to health insurers if patient

pays for the treatment.– Covered entity must notify the patient of breach of

unsecured PHI.(164.520)


22


Changes will require distribution of new notice of privacy practices.– Post new notice in prominent location at facility. May

post summary if full notice is otherwise available to patient without patient having to request notice.patient without patient having to request notice.

– Post new notice on website.– Provide copy of notice to new patients.– Provide copy of notice to other patients upon request.– Comply with discrimination laws, e.g., may need to

provide copy in another language, Braille, etc.(164.520(c))

Additional Items

Additional issues in Omnibus Rule

Research– Allows compound authorizations for conditioned and

unconditioned research authorizations.– Expands the ability to obtain authorizations for future

researchresearch. GINA

– Places limits on health plans’ use of genetic information in underwriting.


23

Issues Not Included in the Omnibus Rule

HITECH Act requirement that individuals receive portion of any fines or settlement.– Subject to proposed rulemaking.

HITECH Act requirement that patients may obtain record of disclosures if provider maintains electronic health records.– Proposed rule would allow patients to obtain

report of everyone who accessed or disclosed information. (See 76 FR 31426, 5/31/11)

– Subject to future rulemaking.

Estimated Cost of Omnibus Rule Implementation

$114,000,000 to $225,400,000 during first year $14,500,000 per year thereafter. But is this based on realistic assumptions?

– 20 minutes to update notices of privacy practices.– 90 minutes to draft new business associate

agreements.– 4 hours to investigate most breaches and 30 minutes to

write notice to patient.– 16 hours to implement administrative safeguards for

security rule compliance.

Action Items


24

Action Items

If you are business associate,– Make sure you comply with rules, e.g., Protect PHI consistent with HIPAA rules and

business associate agreement. Conduct security risk assessment Conduct security risk assessment. Implement safeguards required by the Security Rule. Notify covered entity of breaches.

– Enter business associate agreements with subcontractors.

Action Items

If you are a covered entity, make sure your business associate agreements comply.– Obtain agreements for new business associates,

including covered data transmission services.Review existing agreements to ensure they comply with– Review existing agreements to ensure they comply with operative rules.

– As new agreements are written or renewed, ensure they comply with new rules.

– Ensure all agreements comply by 9/23/14.– Ensure business associates are not your agents.

Action Items

Update notice of privacy practices– Update notice to include new requirements by 9/23/13.– Post updated notice and make available to patients.

Update policies to comply with new rules.– Disclosures regarding deceased persons.– Disclosures for school immunizations.– Restrictions on disclosures to health insurers.– Marketing, fundraising, and sale of PHI.– Patient access to electronic PHI.– Breach notification requirements.

Train employees.


25

Action Items

Ensure your EHR has required functionality.– Restrictions on disclosures to health insurers.– Consider encryption to avoid breaches.– Provide electronic records to patients.

W t h f fi l l di i d t t– Watch for final rule regarding required reports to patients regarding access or disclosure of PHI.

Action Items

If you discover breach that occurs after 3/26/13– Apply new standard.– Perform risk assessment.– If necessary, report breach in timely fashion.

Gi l d b h tifi ti t d d Given new rules and breach notification standard, it is a good time to review your entire HIPAAcompliance, including:– Security risk assessment.– Security rule compliance.– Privacy and security safeguards.– Document training.

Additional Resources


26

HIPAA Resources

HHS HIPAA Omnibus Rule and commentary.– Available in Federal Register on January 25,

2013. OCR website: www.hhs.gov/ocr/hipaa.OCR website: www.hhs.gov/ocr/hipaa.

– FAQs, Guidance, etc.– Past rules and commentary.

OCR listserve. Lots of stuff on the internet.

– Be careful of the source.

HIPAA Resources

We anticipate providing additional guidance– Client alerts regarding aspects of the Omnibus Rule.– Webinars regarding complying with the new rules.– To receive or participate, send me an e-mail at

[email protected] or visit www.hollandhart.com.

I anticipate preparing updated HIPAA privacy policies and forms by 3/26/13.– Available for purchase by clients.– Contact me at [email protected].

Additional Holland & Hart Resources

Future webinars– Health Law Basics monthly webinar series– 2/12 Stark– 2/21 Anti-Kickback Statute

2/28 Civil Monetary Penalties Law– 2/28 Civil Monetary Penalties Law– 3/14 Physician Contracts– 4/11 HIPAA Overview

Healthcare Update and Health Law Blog

– Under “Publications” at www.hollandhart.com.– E-mail me at [email protected].


27

Questions?

Kim C. StangerHolland & Hart LLP

[email protected]@hollandhart.com(208) 383-3913


HIPAA Omnibus Rule: First Look

Healthcare

Transcript of HIPAA Omnibus Rule: First Look