Embed Size (px)
Citation preview
1
HIPAA Omnibus Rule Overview
Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
2
HIPAA Omnibus Rule - Agenda
• History of the Omnibus Rule• What is the HIPAA Omnibus Rule and its various parts?
• Why is this important?• What are the major modifications?• PHI Breaches + Notifications• Audits, Consequences + Penalties• HIPAA Security Rule Analysis• MicroMD HIPAA Compliance + Support
33
History of the Omnibus RuleHealth Insurance Portability
and Accountability Act (HIPAA) of 1996
Health Information Technology for Economic and Clinical Health
(HITECH) Act of 2009
Omnibus Rule 2013
Before HITECH, Business Associates (BAs) regulated through Business Associate Agreements (BAAs)
After HITECH, BAs and subcontractors regulated directly by HIPAA
Therefore, must comply with Security Rules and some Privacy Rules and provisions of BAA
4
What is the HIPAA Omnibus Rule?
The HIPAA Omnibus Rule is a set of final regulations that modifies the existing HIPAA rules and implements a variety of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
There are three main parts to the HIPAA Omnibus Rule:• HIPAA Privacy Rule• HIPAA Security Rule• HIPAA Enforcement Rule
5
What is the HIPAA Privacy Rule?The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The Rule requires appropriate safeguards to protect theprivacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Source: HHS.gov
6
What is the HIPAA Security Rule?The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintainedby a covered entity.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.
Source: HHS.gov
7
What is the HIPAA Enforcement Rule?
The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.
Source: HHS.gov
8
Why is this important?
• 804 PHI breaches between 2009 and 2013• These breaches involved 29.3 million patient health records
• 138% rise in the number of health records breached in 2013
• 83.2% of breaches were due to theft
• 22% of breaches were due to unauthorized access
• 35% of breaches involved an unencrypted laptop or other electronic device
Source: HealthITOutcomes.com
9
What are the major modifications?
• Use of Personal Health Information (PHI)
• Patient access to electronic PHI
• New requirements for Business Associates and their Subcontractors
• Defines new Security Requirements
• Updated definition of PHI Breach, how to assess breach level and notification
• Outlines penalties
10
Use of Personal Health Information (PHI)
• Limitations on use of PHI for marketing + fundraising purposes
• Prohibits sales of PHI without individual authorization to do so
• Broadens patient ability to restrict disclosure of PHI to health insurance, for instance when a patient pays cash
11
Patient Access to Electronic Health Record
• Expands patient rights to request + receive electronic copies of their health record
• Ties into Meaningful Use (MU)• Stage 2 Core Objective 7a: More than 50 percent of all
unique patients seen by the EP during the EHR reporting period are provided timely (within 4 business days after the information is available to the EP) online access to their health information.
• Stage 2 Core Objective 7b: More than 5 percent of all unique patients seen by the EP during the EHR reporting period (or their authorized representatives) are able to view, download or transmit to a third party their health information.
12
Business Associates (BAs): Definition“Persons who, on behalf of a Covered Entity (other than the
Covered Entity’s workforce) perform or assist in performing a function or activity that involves the use or disclosure of
individually identifiable health information, or that otherwise is regulated by HIPAA.”
• IT equipment, support + software vendors
• Leasing firms• Data centers• Cloud computing
providers• Telephony + answering
service vendors
• Shredding vendors• Billing services• Transcription services• Collection services• Temporary employment
agencies
13
Business Associates (BAs): Omnibus Impact
• Extends requirements for privacy and security rules to physician BAs and their subcontractors
• HHS Secretary authorized to receive complaints and take action against BAs and subcontractors
• BAs and subcontractors required to maintain own records and provide HHS access to info
• BAs and subcontractors subject to civil money penalties for violations
• BAs and subcontractors liable under contract to Covered Entity (CE) and BA
14
Business Associates (BAs): Why the changes?
• Before HITECH, management of PHI was loosely defined; law required to “use appropriate safeguards”
• No established standards
• No way to validate standards were being followed
• Laptops don’t always have encrypted discs
• Users often disable or don’t update virus protection
• Covered Entities (CEs) with limited IT resources
• Increasing EMR adoption
15
Business Associates (BAs): Must Document
• Risk Analysis• Continuity Plan• Security Practices and Procedures• Incident Response Plan (Breaches)• Records Disposal Procedure for Electronic Media and Paper Records
• Employee Training Program• Termination Procedures• Audit Logs
16
Business Associates (BAs): Musts• Protect data + uphold privacy and security measures
• Restrict access to PHI via password• Secure servers; limit access• Receive and forward data automatically• 128-bit encryption for reports• Restrict PHI to “need to know”• Automatic password expiration• Store archives and backup in fireproof safe• Mandatory HIPAA training• Monitored security system• Automated, securely-stored data backups• Automated virus checks
• Properly dispose of data• Delete data from BA systems at end of BA• Not retain paper copies
17
Business Associate Agreement (BAA): Elements
• Specifies• Purpose for use of PHI
• Functions, activities or services doing for CE
• BAs agree to• Not use PHI outside of requirements
• Use appropriate safeguards
• Mitigate disclosure that violates BAA
• Report disclosures to CE
• Document disclosures
18
Business Associate Agreement (BAA): Elements
• Designates• BA may use PHI for data aggregation
• BA may use PHI to report violations of law
• Notification of BA changes in PHI disclosure procedures
• Notification of BA of PHI use or disclosure
• Term and termination provision
• Provision that BAA applies to subcontractor
• BA returns or destroys PHI; retain no copies (Or, if return not feasible, specify conditions)
19
Business Associates (BAs): Violations
• HITECH deems a BA to violate HIPAA if BA
• Knows of a pattern of activity of practice
• Breaches their Business Associate Agreement (BAA)
• BA fails to cure the breach, terminate the BAA or report the non-compliance
20
Security Rules• BAs + Subcontractors should already have in place
security practices that either comply with the HIPAA Security Rule, or that only require modest improvements to come into compliance
• CEs and BAs must review and modify security measures to ensure the continued provision of “reasonable and appropriate” protection of PHI
• Specifies that the BA secure assurances of adherence from Subcontractors, not the CE
• Subcontractor of a BA must report security incidents, including breaches, to its BA
21
PHI Breaches + Notification
• Defines that improper use or disclosure of PHI should be considered a breach that would trigger official notification requirements unless the organization in question carries out a risk assessment and determines otherwise
• Applies to “unsecured PHI” not rendered unusable, unreadable or indecipherable
22
PHI Breaches + Notification• Changes definition for required notification of breaches
• 2009: Requirement was to notify of a breach if there was “significant risk of harm” to the individual
• 2013: Any acquisition, access, use or disclosure of PHI that is not permitted under HIPAA is deemed a breach, unless the covered entity or Business Associate can demonstrate, using a 4-factor assessment, that there is a low probability that PHI has been compromised
• Used to be the “risk of harm” was the threshold when determining a breach occurred
• Now the Office for Civil Rights (OCR) uses “presumption of a breach” as the threshold, making it more likely to be required to notify of a PHI breach
23
Common Breaches
• Impermissible use and disclosure of PHI
• Lack of safeguards of PHI
• Lack of patient access to PHI
• Complaints about the CE to HHS
24
Breach Notification: Assessment
• 4 factors must be assessed1. Nature and extent of the PHI involved, including types of
identifiers and the likelihood of re-identification
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed
4. Extent to which the risk to the PHI has been mitigated
• If assessment of factors fails to show a low probability that the PHI has been compromised, breach notification is required
25
Breach Notification: Examples
• Example 1: A laptop computer was stolen and recovered, and analysis shows the PHI on the computer was never accessed, viewed, transferred, acquired or compromised in any way
• Example 2: Credit card numbers and social security numbers were included on the laptop, and analysis shows the data was transferred
26
Breach Notifications: Obligations• Notify impacted individuals written in plain language by written
notice by first class mail (or e-mail if agreed by individual) to include:
• Description of how breach occurred• Date of breach + breach discovery• Description of compromised PHI (Data fields)• Steps individuals can take to protect themselves from resulting harm• Steps CE is taking to resolve and protect against further breaches• Contact info of the Privacy Officer
• Also notify by phone or other means for urgent situations
• Minors: Notify parent or designated guardian
• Deceased: Notify next of kin
• Disclosure of SSN: Check with state
27
Breach Notifications: Obligations
• Notify Secretary of HHS• Breaches involving more than 500 individuals
- Submit notification online: http://ocrnotifcations.hhs.gov/- No later than 60 days after discovery
• Breaches involving less than 500 individuals- Should be documented and submitted annually to HHS- Documentation of breaches should be maintained for 6 years
from the last breach
• Notify media• If involves more than 500 residents of state or jurisdiction• Must be prominent media outlet• No later than 60 days after discovery
28
Audits, Consequences + Penalties
29
Avoiding HIPAA Consequences• Read the full rule• Modify and redistribute your individual Notice of Privacy Practices• Amend BAAs to add security and privacy provisions and reissue
for signature• Do a test run before ever encountering a breach• Complete a Security Risk Assessment• Identify gaps + fix• Document policies + procedures• Create an action plan for breaches• Conduct regular internal audits• Have your BAAs handy; alert your BAs• Establish audit reports, schedule + print• Train staff
30
Surviving a HIPAA Audit
• Audits have been rare; tend to occur with breach notification
• Initial document request period: 10 days
• Audits process entails:• Site visit: Interview stakeholders and exam of health
information systems• Site audit report: Physical safeguards, daily operations,
adherence to policies and HIPAA compliance• Remediation: Identify gaps and prioritize fixes; CEs should
start immediate “good faith effort”
• If you’ve prepared + documented it, you’ll show a “good faith effort”
31
Security Component MicroMD Security Measures to HelpPhysical Safeguards N/A: These are practice safeguards
Administrative Safeguards Use your MicroMD software to:• Control information access• Review user activities
Technical Safeguards • MicroMD EMR Audit Controls• Practice-controlled User Access
Designation• Login Management and Password
Protection Controls• Direct Secure E-mail• Secure and Timely Data Sharing with
Patients• MicroMD eBackUp• Cloud-based MicroMD
Policies + Procedures N/A: These are practice safeguards
Organizational Requirements Business Associate Agreement with MicroMD
HIPAA Security Rule Risk Analysis5 components of the Security Risk Analysis
32
MicroMD HIPAA Compliance + Support• BAAs
• Secure signed BAAs from each client• Provide you with a signed BAA from MicroMD• Secure signed BAAs from each MicroMD vendor + subcontractor• HIPAA Compliance Officer: Linda Spinelli: [email protected]
• Maintain HIPAA-compliant• Policies• Procedures• Training
• Security• Encrypted HIPAA-compliant data security for MicroMD Cloud data center• Offer HIPAA-compliant eBackUp service for non-Cloud data back up
• Auditing• Audit logs to track and document HIPAA-related items• Client Support for questions regarding audit documentation
33
HIPAA Resources
• Federal Register HIPAA Final Rule, Jan 2013:http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf(138 Pages)• HIPAA Survival Guide:http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php• AMA Summary:http://download.ama-assn.org/resources/doc/Washington/x-pub/hipaa-omnibus-final-rule-summar.pdf
