Alaina Crislip HIPAA In A Hitech World

What You Don’t Know Can
Cost You
October 10, 2013
Alaina N. Crislip, Esq.
Final HIPAA Omnibus Rule
• What Happened?
– Adopted modifications to the HIPAA Privacy,
Security, and Enforcement Rules to
implement statutory requirements from
– Adopted changes to the Breach Notification
Rules for Unsecured PHI
– Modified HIPAA to conform to the Genetic
Information Nondiscrimination Act (GINA)
What’s Not in the Final Rule
• Accounting of Disclosures
• Methods for giving individuals harmed by
HIPAA violations a percentage of any civil
monetary penalties or settlements
collected (HITECH Sec. 13409(c)(3))
• HITECH also mandated study of definition
of “psychotherapy notes”
Final Rule: Important Dates
• Final Rule became effective on March 26, 2013
– Enforcement rules effective on that date
– CEs and BAs must comply with the Final Rule by
September 23, 2013
– Only exception is for a BAA that complied with the
NPRM by January 25, 2013, and is not renewed or
modified between March 26, 2013 and Sept. 23, 2013
• Compliance required by September 22, 2014
Focus of Final Rule Discussion
• Overview of changes to:
– Breach Notification Rule
– Business Associates
• Subcontractor Relationships
– Other key changes
– Enforcement Rule
Breach Notification
• Refers to the concept that a patient has a
right to know if his or her PHI has been
“breached” in an improper manner
• Federal breach notification standard
established by HITECH Act
• Breach notification laws exist at the state
– WVC § 46A-2A-101
Breach Notification – NPRM
• Definition of “Breach”:
– Acquisition, access, use, or disclosure of
unsecured PHI
– In a manner not permitted by the Privacy Rule
– That poses significant risk of financial,
reputational, or other harm to patient
Breach Notification – Final Rule
• Final Rule changed the definition of “Breach” by deleting
the “significant risk of harm” standard
• Focus is now upon whether PHI has been
• New definition:
– Acquisition, access, use, or disclosure of unsecure PHI
– In a manner not permitted by the Privacy Rule
– Compromises security or privacy of the PHI
Breach Notification – Final Rule
• Any compromise of PHI is presumed to be a “Breach”
unless it is shown that there is a “low probability” that
the PHI has been compromised
• Based on risk assessment that considers at least the
following factors:
– The nature and extent of the PHI involved, including types of
identifiers and likelihood of re-identification;
– The unauthorized person to whom the disclosure was made;
– Whether the PHI was actually acquired or viewed; and
– The extent to which risk to the PHI has been mitigated
Breach Notification-Final Rule
• Probability of Compromise Risk Assessment
– Covers impermissible “acquisition, access, use, or
disclosure” of PHI
– Limited data sets are required to have the risk
assessment performed
– Violations of minimum necessary must be evaluated
using the risk assessment
Breach Notification – Final Rule
• The exceptions were retained in Final Rule
– Unintentional access or use by workforce member of CE or BA if
in good faith, within scope of authority, and not resulting in
further use or disclosure
– Inadvertent disclosure by a person with authorized access to PHI
at a CE or BA to another workforce member with authorized
access, and not resulting in further use or disclosure
– Any disclosure of PHI where a CE or BA has good faith belief
that unauthorized person to whom disclosure was made would
not reasonably have been able to retain such information
Breach Notification – Final Rule
• Other aspects of breach notification remain unchanged
– Contents of notification
Description and time of incident
Description of types of PHI
Description of investigation and mitigation
List of steps and contacts for patients to protect themselves
– Notification within 60 days of discovery (without unreasonable
– Notification of prominent media outlets and HHS/OCR if 500 or
more patients impacted
– Annual notification of HHS/OCR if less than 500 patients
Breach Notification – Final Rule
• Applies to both CEs and BAs
• BA must notify its CE without unreasonable delay, and in
no case later than 60 days after discovery
• Content of notification
– Identification of each patient whose unsecured PHI is reasonably
believed to have been compromised
– Other available information that CE may need to put in its
notification to patient
Business Associates
What’s New Under the Final Rule?
• Expanded Definition of Business Associate
• Subcontractors of a BA are now defined as a BA; even if they
do not have a business associate agreement
• Direct Application
– Security Rule – technical, administrative, and physical safeguard
– Privacy Rule – compliance with disclosure limitations in the rule and in
• Direct liability for violations
– Criminal and civil penalties for failure to comply with applicable
provisions (impermissible uses and disclosures of PHI and failure to report
breaches to covered entities)
Business Associate Obligations
The Final Rule specifies the Privacy Act obligations of a Business Associate, not
addressed in detail in the HITECH Act. Business Associates are obligated to:
• Limit uses and disclosures to what is permitted under the Privacy Rule, subject to
what is allowed under the Business Associate Agreement. This specifically
includes compliance with the minimum necessary standards;
• Provide breach notification to the covered entity;
• Provide a copy of electronic PHI to either the covered entity, the individual or to
the individual’s personal representative, as specified in the business associate
• Disclose PHI to the Secretary in an investigation of the Business Associate’s
compliance with HIPAA;
• Provide an accounting of disclosures;
• Comply with the security rule.
Business Associates-Expanded
• Entities that create, receive, maintain, or transmit PHI on
a routine bases
– Health Information Organizations
– E-Prescribing Gateways
– Data Transmission Services
– Patient Safety Organizations
• Personal Health Record vendors who serve CEs
• Subcontractors who create, receive , maintain or
transmit PHI for BA
Vendors & Data Transmission Companies
• Conduit Exception – Very Narrow
– Fact-specific analysis will determined whether BA
– Transmission Services – (digital or hard copy) including any
temporary storage of transmitted data incident to such
• U.S. Postal Service
• Internet Service Providers
– Storage and Maintenance of PHI on behalf of a CE
• Not a conduit, even if the entity does not actually view the PHI
– Transient v. persistent nature of opportunity to view data
– Random or infrequent access standard
– More guidance expected on conduits
Subcontractor Example
• A shredding company is hired by a BA of a
hospital for document shredding and
secure disposal of PHI
– Is a BA Subcontractor Agreement necessary?
– Is the shredding company directly obligated to
implement safeguards with respect to handling the
PHI, as well as to limit its uses and disclosures of the
Downstream Contractors
• A hospital contracts with a billing
company. The billing company contracts
with a shredding company to dispose of its
billing records. The shredding company
contracts with a trucking company to bring
the hospital’s paper billing records to its
shredding facility.
Downstream Contractors (cont.)
Under the Final Rule, each of these entities would be directly responsible
for compliance with the business associate requirements under the Security
and Privacy Rules, even if the parties failed to enter into a written business
associate agreement. The trucking company’s responsibility would likely be
based on custody, even if it did not view the records, as discussed above.
Under the Final Rule, the hospital would only be required to enter into a
business associate agreement with the billing company. Each business
associate or downstream subcontractor would be required to obtain written
“satisfactory assurances” from its immediate subcontractor.
In the event of a breach of the security of unsecure PHI, the chain of
reporting would follow the chain of contracting in reverse: trucking company
to shredding company; shredding company to billing company; billing
company to hospital.
Grandfathered Business Associates
In recognition that it will take time to renegotiate existing business
associate agreements, the Final Rule grandfathers certain business
associate agreements for up to one year beyond the compliance date,
up to September 23, 2014.
• In order to qualify, the business associate agreement must have
been in existence prior to the publication of the Final Rule (January
25, 2013), have complied with HIPAA prior to the publication date
and not be renewed or modified during the grandfather period.
• An automatic renewal, under a so-called evergreen clause, does not
constitute a renewal or modification for purposes of the availability of
the grandfather period.
HIPAA Omnibus Rule—
Other Key Changes
Strengthens limitations on use and disclosure of PHI for marketing and
fundraising and prohibited sale without individual authorization
Expands an individual’s right to receive electronic copies of health information
and restricted disclosures to health plans concerning treatment for which the
individual has paid the out of pocket amount in full
Requires modifications to, and redistribution of, a CE’s notice of privacy
Modifies the individual authorization and other requirements to facilitate research
and disclosure of child immunization proof to schools, and to enable access to
decedent information by family members or others
Modifies the HIPAA Privacy Rule as required by GINA to prohibit most health
plans from using or disclosing genetic information for underwriting purposes
Access - Electronic
• Must have reasonable safeguards in place to protect transmission of
ePHI, but …
• If an individual wants information by unencrypted e-mail, entity can
send if they advise the individual that such transmission is risky.
• Must have a secure mechanism – can’t force individuals to accept
• An electronic “machine readable copy”
o Digital information stored in a standard format enabling the PHI
to be processed and analyzed by a computer.
• Covered entities must accommodate individual requests for specific
formats, if possible.
Access - Fees
• Fees charged are
restricted to labor costs
– cannot include costs
of retrieval, or portion of
capital costs.
• Charge can include
supplies provided to
individual upon request.
Access - Third Parties
• Individual may request a covered entity send PHI directly
to another individual.
• Request must be
o be “in writing” and signed by the individual
o clearly identify the designated person and where to
send the copy of the PHI
• Information must be protected and entity must implement
reasonable policies and procedures to send it to the right
place (e.g., type e-mail correctly).
• “In writing” can be electronic.
• Previously, permitted a covered entity to use or disclose PHI to a
business associate or related foundation for fundraising purposes
without an individual’s authorization.
• Permitted PHI included:
o Demographic information related to an individual.
o Dates of health care provided to an individual.
• Demographic information include: name, address, other contact
information, age, gender, and insurance status, not diagnostic
• Had to include fundraising in Notice of Privacy Practices and tell
individual how to opt out of future fundraising.
Fundraising (cont.)
• Now expands demographic information to include:
o Treating physician
o Outcome
o Department (limited diagnostic information)
Fundraising (cont.)
• Flexibility to decide the method to allow for individuals to opt out and
opt back into the use of PHI in fundraising activities.
o For example, toll-free number, email address, other opt-out
mechanism or a combination of methods
• Leaves the decision as to the scope of the opt-out related to future
fundraising communications to the covered entity.
• Many covered entities found campaign-specific opt-outs difficult to
track for compliance purposes.
• HHS strengthened the standard related to further communications
after individuals opt out from reasonable efforts to an outright
Notice of Privacy Practices (NPP)
• Include statements regarding certain uses and disclosures requiring
o Psychotherapy notes (where appropriate)
o Marketing
o Sales of PHI
o Right to restrict disclosures to health plans (provider only)
o Right to be notified of breach (but not an entity specific
• Include a general statement that all uses and disclosures not
described in NPP also require authorization.
• Methods for redistributing set forth in Final Rule- Sept. 23rd deadline
Enforcement Rule Provisions
• Adopted increased Civil Monetary Penalty (CMP)
amounts and on tiered levels of culpability from 2009
• Clarified “reasonable cause” tier
• Willful Neglect Penalties do not require informal
resolution by OCR
• Intentional wrongful disclosures may be subject to civil,
rather than criminal penalties
• Removed “did not know” affirmative defense to CMP
• No CMP for violations, if not due to willful neglect and
Increasing Penalty Tiers
Each Violation
Total CMP for Violations
of an Identical Provision
in a Calendar Year
$100 – $50,000
Reasonable Cause
$1,000 – $50,000
Willful Neglect –
$10,000 – $50,000
At least $50,000
Violation Category
Willful Neglect – Not

similar documents