Upload
fig-gungor
View
400
Download
0
Embed Size (px)
DESCRIPTION
The HITECH Omnibus Rule went into effect in March 2013. The deadline for compliance is September 23, 2013. Is your organization armed with the knowledge necessary to avoid fines under the Final Rule?
Citation preview
© 2013 © 2013
The HITECH Omnibus Rule: A Review
Angela Dinh Rose, MHA, RHIA, CHPS, FAHIMA Diana Warner, MS, RHIA, CHPS, FAHIMA
© 2013
Agenda 1. Discuss the regulatory changes brought
about by the final ARRA/HITECH Omnibus Rule.
2. Review the new enforcement rules and how OCR has already applied them.
3. Review impact of GINA to the HIPAA ModificaJon Rule.
2
© 2013 3 3
ARRA/HITECH Review
• American Recovery and Reinvestment Act
• Health InformaJon Technology for Economic & Clinical Health provisions
© 2013 4 4
ARRA/HITECH Review
• February 2009 • HIPAA markedly expanded and penalJes sJffened under ARRA/HITECH
• Proposed Changes – Privacy – Security – Enforcement
© 2013
Omnibus Rule
• Rule Published January 25, 2013 • EffecJve March 26, 2013 • Compliance September 23, 2013 • Compliance for small health plans will be the same
5
© 2013
Security Changes
• Added “and business associates” with the “covered enJJes”
• DefiniJon of “electronic media” • Annual Review of Risk Assessments
6
© 2013
HIPAA Privacy ModificaGon Overview • Final:
– Business Associates – Limited Data Set – Deceased Individuals – Childhood ImmunizaJons – MarkeJng – Fundraising – Disclosure and Sale of Health InformaJon – Research – Requested RestricJons – Electronic Access – NoJce of Privacy PracJce
7
© 2013
What’s SGll Missing?
• AccounJng of Disclosures (AoD) • Minimum necessary guidance
• DistribuJon of penalJes/seblements to harmed individuals
8
© 2013
What’s Not Missing?
• De‐idenJficaJon Guidance (32 pages) – Posted November 26, 2012
– Reviews the standard itself and its raJonale – Preparing for de‐idenJficaJon – SaJsfying the Expert DeterminaJon Model
– SaJsfying the Safe Harbor Method
9
© 2013
Business Associates (BA)
• BA are incorporated into certain privacy, security and enforcement regulaJons
• Need for new agreements • HIEOs, PHRs, and E‐prescribing gateways, PSOs
• Subcontractors
10
© 2013
Decedents
• Involved in care or payment of the deceased
• Not considered PHI if deceased for more than 50 years
11
© 2013
Childhood ImmunizaGons
• CE may release proof of immunizaJon to a school without having to obtain a wriben authorizaJon – CE must sJll obtain disclosure agreement (oral or otherwise) from parent, guardian, or individual
– Affected by State law
12
© 2013
MarkeGng • Expands and defines what can be considered markeJng and when an authorizaJon is necessary
• Defines financial remuneraJon – which is necessary to define some of the markeJng situaJons and the selling of PHI
• Require individual authorizaJon before markeJng communicaJon can be received
• Allow individual to opt‐out of receiving markeJng communicaJons
• Provide statutory excepJon for prescripJon refill reminders
13
© 2013
Fundraising
• Opportunity to opt out • CE may not condiJon treatment or payment
on choice • Adds categories of PHI
that may be used or disclosed for fundraising: – Department of service – TreaJng physician – Outcome informaJon – Health insurance status
14
© 2013
Disclosure & Sale of PHI
• Does not permit a CE or BA to directly or indirectly receive remuneraJon in exchange for PHI of an individual unless covered by a valid authorizaJon – authorizaJon must specify whether the enJty receiving the PHI can further exchange the informaJon for remuneraJon
15
© 2013
Disclosure & Sale of PHI: ExcepGons • Public health data as defined in HIPAA • Research data as defined in HIPAA • When the purpose of the exchange is for:
• Treatment • Health care operaJons • RemuneraJon • Providing an individual with a copy of the individual’s PHI
• Otherwise determined by the Secretary in regulaJons to be similarly necessary and appropriate.
16
© 2013
Research
• Use of compound authorizaJons • Authorizing future research use or Disclosure
17
© 2013
RestricGons
• HIPAA’s right to request privacy protecGons will remain
• AddiJonal restricJon requirement limited to restricJng PHI disclosed for payment and operaJons when service is paid out of pocket in full
• 45 CFR 164.522(a) will sJll be needed to cover all other restricJon requests
18
© 2013
Electronic Access to Designated Record Set (DRS) • CE’s that use or maintains an EHR with respect to PHI of an individual, the individual shall have a right to obtain from such CE a copy of such informaJon in an electronic format.
• The individual has a right to direct the CE to transmit a copy directly to another enJty or person.
• The CE may not charge the individual any more than its labor costs to respond to a request for a copy of the record.
• In providing the individual with an electronic copy of PHI the CE should ensure that reasonable safeguards are in place.
19
© 2013
Update NoGce of Privacy PracGces • Statements to include:
– uses and disclosures of: • Psychotherapy notes (where appropriate) • PHI for markeJng purposes • Disclosures that consJtute a sale of PHI require an authorizaJon
• not described in the NPP will be made only with an authorizaJon from the individual
– fundraising communicaJons and an individual’s right to opt out.
– (only applies to healthcare providers) right to restrict certain disclosures of PHI to a health plan if they pay for a service in full and out of pocket.
– individual’s right to be noJfied of a breach of unsecured PHI in the event they are affected.
– (only applies to certain health plans) Limits on the use of geneJc health informaJon
20
© 2013
Health Plan NPP RedistribuGon
• Post on website: – Prominently post the material change or its revised noJce on its website
– Provide revised noJce in the next annual mailing to individuals
• Health plans that do not have customer service web sites are required to provide the revised NPP or informaJon about the material change and how to obtain it to individuals
© 2013
Enforcement
• Final Rule adopts the 10/31/2009 Interim Final Rule. – Expanded to include BAs and their agents (subcontractors)
– Changes in this secJon’s language signals tougher enforcement for willful neglect
– All complaints will iniJate an invesJgaJon
22
© 2013
Enforcement
• OCR is recruiJng enforcement agents heavily and has upped their pay scale
• OCR HIPAA audits are sJll mandated • BAs up next!
23 23
© 2013
State AG’s to Enforce HIPAA
• OCR training includes: – Overview of Privacy and security – InvesJgaJon techniques – PreempJon Review – OCR’s enforcement role – State aborney’s general role and responsibiliJes
– HIPAA enforcement and support
24
© 2013
Civil Money PenalGes
Four Jered structure ‐ PenalJes based on culpability and increase with each Jer: 1. Reasonable cause 2. Knowledge and reasonable diligence 3. Willful neglect violaJon corrected 4. Willful neglect violaJon not corrected
25
© 2013
Penalty Tiers
• Each ViolaJon ‐ $100‐$50,000 • All such violaJons/yr $1,500,000 Did not know
• Each ViolaJon ‐ $1,000‐$50,000 • All such violaJons/yr $1,500,000
Reasonable Cause
• Each ViolaJon ‐ $10,000‐$50,000 • All such violaJons/yr $1,500,000
Willful Neglect ‐ Corrected
• Each ViolaJon ‐ $50,000 • All such violaJons/yr $1,500,000
Willful Neglect – Not corrected
26
© 2013
Penalty Tiers
Reasonable Cause (§160.401 Final Rule) “An act or omission in which a covered en9ty or business associate knew, or by exercising reasonable diligence would have known, that the act or omission
violated an administra9ve simplifica9on provision, but in which the covered
en9ty or business associate did not act with willful neglect.”
27 27
© 2013
Civil Money PenalGes PenalJes imposed will be impacted by the following: • ViolaJons before or aoer HITECH • Nature and extent of the violaJon • Harm resulJng from the violaJon (not harm as discussed in Breach NoJficaJon) • History of compliance • EnJty’s overall financial condiJon
28
© 2013
Civil Money PenalGes
• CounJng ViolaJons: – Lose a thumb drive = # individuals affected
– Lack of appropriate safeguards (e.g. policy and procedure) = per day basis
• $1.5M Cap = per type of violaJon
29
© 2013
§ 160.410 AffirmaGve Defenses Prior to 2/18/2009
• An act punishable under 42 U.S.C. 1320d–6
• CE establishes that it did not have knowledge of the violaJon
• The violaJon is – Due to reasonable cause – Corrected during the 30 day period – Corrected as the Secretary determine to be appropriate
30
© 2013
§ 160.410 AffirmaGve Defenses On or aaer 2/18/2009
• An act punishable under 42 U.S.C. 1320d–6
• The violaJon is – Due to reasonable cause – Corrected during the 30 day period – Corrected as the Secretary determine to be appropriate
31
© 2013
Waiver §160.412
• The Secretary may waive civil money penalty in whole or in part: – ViolaJon due to reasonable cause – Not corrected with Jmeframe – Extent of penalty would be excessive relaJve to the violaJon
32
© 2013
Breach Timeline
• 08/24/09 – Interim Final Rule • 09/23/09 – NoJficaJon of Breach • 11/30/09 – Enforcement
• 1/25/13 – Final Rule • 3/26/13 – EffecJve Date Final Rule • 9/23/13 – Compliance Date Final Rule
33 33
© 2013
Breach Final Rule
• DefiniJon of a Breach The acquisi9on, access, use, or disclosure of protected health informa9on in a manner not permiDed [Privacy Rule] which compromises the security or privacy of the protected health informa9on.
• Unsecured PHI PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary.
© 2013
Breach Final Rule
35 35
HARM THRESHOLD
© 2013
Breach Final Rule
• Impermissible use of PHI is PRESUMED a breach unless the CE can demonstrate low probability that PHI was compromised. – Harm Threshold Replaced by Risk Assessment
– If a determinaJon to noJfy has been made a risk assessment is not required
© 2013
Breach Final Rule
• Risk Assessment – Nature and extent of the PHI – Who used or to Whom the PHI was disclosed?
– Was the PHI actually acquired or viewed? – Extent to which PHI miJgated
• OCR expected to issue further guidance
© 2013
Breach Final Rule
• ReporJng a Breach to the OCR – Considered “discovered” on the 1st day it is “known” to the CE/BA.
– Business Associate must noJfy CE immediately
– UlJmate responsibility for reporJng to OCR lies with the CE
– <500 individuals must noJfy HHS 60 days aoer close of year
– >499 must noJfy HHS when individual is noJfied
© 2013
Breach Final Rule
• A breach only occurs if it involves unsecured PHI.
• Safe Harbor – EncrypJon – Meets definiJon of unsecured PHI
© 2013
Breach NoGficaGon
• To the Individual – No later than 60 days from discovery – Wriben noJficaJon or subsJtute noJce required • First‐class mail or email
© 2013
Breach NoGficaGon
• NoJficaJon Scenarios – Minors, incompetent or deceased adult – AlternaJve communicaJons – PaJent CondiJon – Health Plan
© 2013
Breach NoGficaGon
• SubsJtute NoJce o ExcepJon: Deceased, Next of Kin, Personal RepresentaJve cannot be reached, no further acJon required
o Requirement varies if there is <10 or >10 individuals
© 2013
Breach NoJficaJon
• SubsJtute NoJce (cont’d) – <10 – noJce can be wriben, by phone, or other means
– >10 • PosJng on home page for 90 days or • Ad in major print in area where individual most likely resides for 90 days
• Include toll‐free number in both for 90 days
• AddiJonal emergent contact is also permibed for urgent situaJons
© 2013
Breach NoGficaGon • NoJficaJon Elements
o Date of breach o Date of discovery (if known) o Brief descripJon of what happened o DescripJon of types of PHI involved o Steps an individual should take to protect themselves from potenJal harm
o DescripJon of what is being done to invesJgate and miJgate the breach
o Contact informaJon of CE/BA
© 2013
Breach NoGficaGon
• Breaches >500 – Prominent media outlets must be noJfied no later than 60 days from discovery
– Must be reported to OCR no later than 60 days from date of discovery
– NoJficaJon to all affected including required elements
– American Samoa and Northern Mariana Islands are now included, not specified in HIPAA
© 2013
Breach NoGficaGon
• Breaches <500 – Must be reported annually to OCR – All breaches that occur in a calendar year must be reported within 60 days of the end of that calendar year
© 2013
Breach NoGficaGon • Business Associates
– Considered discovered on day the BA discovered breach
– BA must noJfy CE – Responsibility will vary by BA and CE relaJonship
– Should be specified in BAA
© 2013
Breach NoGficaGon
• Delays by law enforcement – NoJficaJon or posJng can be delayed if requested by law enforcement for criminal invesJgaJons or maber of naJonal security
• In wriJng – must specify Jme period of delay
• Oral – must be documented – only valid for 30 days unless received in wriJng
© 2013
Breach: Key Steps
1. PotenJal privacy/security violaJon reported 2. InvesJgaJon and DocumentaJon
a) Did a breach occur? 3. If breach determined, perform risk
assessment 4. NoJfy individuals 5. Report to HHS accordingly (<500 or >500) 6. Feedback/MiJgaJon/SancJons
© 2013
Breaches & Enforcement in AcGon
• Major Cases in 2013 – United HomeCare Services, Inc (12,229) – Healthcare for Women (8,727) – CatocJn Dental/Richard B. Love (6,400) – Utah Dept of Health (6,332)
• Major Cases in 2012 – Emory Healthcare (315,00) – South Carolina Dept. of Health and Human Services (228,435)
– Alere Home Monitoring Inc (116,506) – Crescent Health Inc – a Walgreen’s company (109,000)
© 2013
GeneGc InformaGon NondiscriminaGon Act (GINA) • InformaJon about:
– The individual’s geneJc tests; – The geneJc tests of family members of the individual;
– The manifestaJon of a disease or disorder in family members of such individual; or
– Any request for, or receipt of, geneJc services, or parJcipaJon in clinical research which includes geneJc services, by the individual or any family member of the individual.
© 2013
GINA
• Applies to the following: – group health plans, – health insurance issuers, – health maintenance organizaJons, – issuers of Medicare supplemental policies) – employee welfare benefit plans, – high risk pools, – certain public benefit programs and – any other individual or group plan, or combinaJon of individual or group plans.
© 2013
SpecificaGons • Prohibits uses and disclosures for:
– underwriJng except for long term care policies
– UnderwriJng though this acJviJes is typically considered payment or healthcare operaJon
• Clarifies health plan may – release summary health informaJon to sponsors
– ConJnue to use and disclose informaJon as required by law
• Clarifies healthcare providers may conJnue to disclose geneJc informaJon for payment purposes
© 2013
Next Steps
• Review state laws again final rule • Review/Update policies and procedures – What’s working? What’s not?
• Update Incident/Breach Response Plan – Create a risk assessment template
• Update BA agreements – Specifically idenJfy BA responsibiliJes
54
© 2013
Next Steps • Update NPPs to include:
– Fundraising – RestricJons – Decedents – Access
• Update AuthorizaJons – MarkeJng – Sale of PHI – Research
55
© 2013 56
QuesGons?
© 2013
Thank You!
Angela Dinh Rose, MHA, RHIA, CHPS, FAHIMA Director, HIM PracGce Excellence at AHIMA
Diana Warner, MS, RHIA, CHPS, FAHIMA Director, HIM PracGce Excellence at AHIMA
© 2013
References • ModificaJons to the HIPAA Privacy, Security,
Enforcement, and Breach NoJficaJon Rules under the Health InformaJon Technology for Economic and Clinical Health Act and the GeneJc InformaJon NondiscriminaJon Act; Other ModificaJons to the HIPAA Rules hbp://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐25/pdf/2013‐01073.pdf
• Analysis of ModificaJons to the HIPAA Privacy, Security, Enforcement, and Breach NoJficaJon Rules under the Health InformaJon Technology for Economic and Clinical Health Act and the GeneJc InformaJon NondiscriminaJon Act; Other ModificaJons to the HIPAA Rules hbp://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_050067.pdf
58
© 2013
References • Guidance Regarding Methods for De‐idenJficaJon of
Protected Health InformaJon in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule hbp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredenJJes/De‐idenJficaJon/guidance.html
• HIPAA Privacy Rule hbp://www.hhs.gov/ocr/privacy/hipaa/administraJve/privacyrule/privrulepd.pdf
• AHIMA Advocacy and Policy Center:
www.ahima.org/advocacy
59
© 2013
AHIMA Privacy & Security Resources • A HIPAA Security Overview • HIPAA Privacy and Security Training (Updated) • NoJce of Privacy PracJces (Updated) • PreempJon of the HIPAA Privacy Rule
(Updated) • RetenJon and DestrucJon of Health
InformaJon • SancJon Guidelines for Privacy and Security
ViolaJons • Security Risk Analysis and Management: An
Overview (Updated) • Security Audits of Electronic Health InformaJon
(Updated) • The 10 Security Domains
60
© 2013
Resources – Breach Tools • Model Breach NoJficaJon Leber hbp://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_044673.hcsp?dDocName=bok1_044673
• Breach NoJficaJon Template Leber hbp://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_045987.pdf
• Model Plan for Breach NoJficaJon hbp://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_044673.hcsp?dDocName=bok1_044673
61