1

Consulting | Brokerage | Compliance | Communication | Administration

HIPAA HITECH Compliance

An Analysis

and

“What to do now”

Webinar

Presented by

Patrick C. Haynes, Jr., Esq., LL.M |

May 2013

2

2

3

3

Patrick C. Haynes, Jr.

As counsel for Crawford Advisors’ Employee Benefits and Executive Compensation Group, Mr. Haynes advises employers and plan sponsors in a variety of health and welfare benefit plan compliance matters, including, but not limited to, tax qualification and other Internal Revenue Code issues, ERISA, COBRA and HIPAA portability and privacy issues. Mr. Haynes lectures frequently and has published many articles on health and welfare benefit plan compliance topics.

Today’s presenter

Practice Areas Employee Benefits & Exec Comp, ERISA, COBRA, HIPAA, §125, and §§ 105, 106, 129, 132

Education Temple University School of Law, LL.M. Rutgers University School of Law, J.D. Rutgers University School of Business, M.B.A. Rutgers University College of Arts & Sciences, B.A.

Admitted to Practice U.S. Supreme Court

Federal and State Courts of

New Jersey

Pennsylvania

Connecticut

District of Columbia

4

Important Dates

• March 26, 2013: The Rules became effective

• September 23, 2013: Covered entities must comply with most of the new Rules’ provisions

• September 25, 2013: Disclosures of PHI become subject to the new restrictions on sale of PHI

• September 22, 2014: Covered entities must bring all of their Business Associate Agreements (“BAAs”) into compliance with the new Rules

5

To Note

• Rules in some respects represent a major departure from the existing HIPAA and HITECH requirements previously proposed in the interim rules issued in October 2009 and July 2010.

• Entities that have aligned their practices with the Interim Rule will, therefore, have fewer changes to implement.

6

Overview of the NEW Rules

1. Additional disclosures “HIPAA Privacy Notices”

2. Expanded rights to be notified of breaches

3. Substantial lowering of the threshold for notification of a breach of PHI

4. Documented risk assessment rules

5. Expansion of individuals’ rights to access their PHI

6. Expansion of the definition of Business Associates

7. Direct liability under the Rules on Business Associates for compliance Privacy and Security Rule requirements

8. Provisions that covered entities and Business Associates must include in their BAAs, and a requirement for all existing BAAs to comply with the new Rules by September 22, 2014

7

Other Significant Changes

• Clarification of the circumstances in which providers of patient health record portals are subject to HIPAA

• Individuals’ enhanced ability to restrict disclosures of certain PHI

• Restrictions on the circumstances in which adherence programs can be conducted

8

The BA Expansion

The Rules clarify the circumstances in which vendors are deemed to be Business Associates, and expand the definition of “Business Associate” to include most subcontractors that access PHI.

9

Vendors

The Rules clarify that vendors that require “routine” or “more than random” access to PHI are Business Associates, while those that act as “mere conduits” for or have “random access” to PHI continue to be outside the scope of the definition.

10

Vendor Examples

• Providers of data transmission services, to the extent they require “routine access” to the PHI;

• Data storage or document storage vendors – whether or not they view the PHI they maintain;

• Operators of portals or other interfaces created on behalf of covered entities that allow patients to share their data with the covered entity; and

• Entities that provide oversight and governance for electronic heath information exchanges.

11

Subcontractor Examples

• The Rules also include as a Business Associate any subcontractor to the extent the subcontractor requires access to PHI

• An enrollment entity (medical underwriting data), disease management company, an EAP, etc.

12

Hybrid Entity Examples

The Rules now require hybrid entities to include within the covered component of the entity Business Associate-like functions that were previously outside the covered component. An example of a hybrid entity includes an organization that is not generally in the business of providing health care, but, for example, operates on-site health clinics.

13

What to do now! 1. Make a list of vendors that provide services to the cover entity; 2. Business Associates should, in turn, inventory their subcontractors; 3. Determine whether the vendors are Business Associates under the revised

Rules; 4. Review whether each vendor or subcontractor requires access to PHI to

perform services for the covered entity or first tier vendor, or whether the access should be curtailed or data de-identified;

5. Enter into BAAs (Business Associate Agreements) with vendors and subcontractors that have become Business Associates under the Rules;

6. Consider/Remind vendors/subcontractors about their obligation to review the Rules and ensure compliance with the relevant Privacy and Security requirements; and

7. Examine internal health-care related operations, such as on-site clinics and health care plans, to ensure that Business Associate-like functions are brought within the covered components of those organizations.

14

BA’s New Privacy and Security Rules

Security The new Rules make Business Associates directly responsible to regulators for complying with the Security Rule. Privacy • Use or disclose PHI only as permitted or required by the BAA (or

required by law); any other use or disclosure of PHI would be a violation of the HIPAA Privacy Rule for which the Business Associate would be directly liable (such a violation would likely be deemed a breach subject to the requirement to notify affected individuals);

• Not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity;

15

BA’s New Privacy and Security Rules

Privacy • Provide an individual or the individual’s designee with a

copy of their PHI in an electronic format

• Limit the PHI that Business Associates use

• Respond to known noncompliance with the Rules

• The new Rules make Business Associates directly responsible to regulators for complying with the Security Rule.

16

Upcoming Important Date

While the Rules make significant changes to BAA requirements, covered entities and Business Associates (and Business Associates and their subcontractors) may continue to operate under existing agreements until September 22, 2014.

17

Requirements

The Rules now require Business Associates to enter into BAAs with their subcontractors pursuant to the same requirements that apply to covered entities with respect to their first tier vendors. The Rules do not require covered entities to enter into BAAs with their covered subcontractors.

18

Requirements

The Rules modify the content of BAA’s… They require: • Business Associates carry out covered entity’s

obligations under the Privacy Rules

• Business Associates to comply with the Security Rules

• Business Associates to ensure that any subcontractors enter into a contract

• Business Associates to report security incidents to the covered entity

19

What to do now

Covered entities and Business Associates should:

• prepare and update BAA

• Identify Business Associates and subcontractors

• Ensure that, going forward, new Business Associate engagements use the updated BAA

• Ensure that all BAAs are up to date by September 22, 2014.

20

Notice Requirements

Need to inform individuals that: • They have a right to be notified following a breach

• They may be contacted to raise funds and have the right to opt out

• Most uses of and disclosures of require the individual’s authorization

• Uses and disclosures will be made only with the authorization from the individual

• Individuals have the right to restrict certain disclosures of PHI to a health plan

21

Redistribution Requirement

The Rules require redistribution of the updated HIPAA Privacy Notices.

Covered entities must:

(1) prominently post the revised Privacy Notice (or a summary linked to the notice) on their site by the effective date of the changes (i.e., September 23, 2013 at the latest), and

(2) provide the revised Privacy Notice in the covered entity’s next annual mailing to affected individuals. If the notice is not provided via a website, the covered entity must provide it to affected individuals within 60 days of the effective date of the updated notice.

22

What you need to do now

• Update HIPAA Privacy Notice

• Verify that the notice accurately reflects the covered entity’s actual practices

• Determine the appropriate medium for redistributing the Privacy Notice

• Redistribute the Privacy Notice within the appropriate timeframe.

23

Breach Notification

The New Rules lower the threshold for notification of affected individuals by:

1. Abandoning the current harm threshold to instead a “significant risk of financial, reputation or other harm”

2. Presuming that notification is required in all circumstances, except when:

- There is a “low probability” of compromise of the PHI

- One of the existing exceptions to the definition of the breach applies to unintentional and inadvertent disclosure of the PHI

24

The New Risk Assessment Rules

The risk assessment must consider at least:

• The nature and extent of the PHI involved

• The type of unauthorized person who used the PHI or to whom the data was disclosed;

• Whether the PHI was actually acquired or viewed; and

• The extent to which risk to the PHI has been mitigated.

25

What to do now

• Revise PHI breach investigation and notification policies

• Implement a process to conduct and document risk assessments to determine PHI compromise

26

Rules about the sale of PHI

A Sale is defined as:

• Any disclosure of the information for which the covered entity or Business Associate receives remuneration

• Such remuneration may be direct or indirect, and financial or non-financial.

• Prohibited, except with a written authorization from the individual (whom PHI pertains)

27

Expansion of Individual Rights

The Rules specifically require disclosure that satisfies three conditions:

• For purposes of carrying out payment or healthcare operations

• Not otherwise required by law

• The PHI pertains solely to a health care item or service for which the individual paid in full.

A disclosure of PHI in violation of this requirement would violate the Privacy Rule and could trigger breach

28

What to do now

• Ensure that policies are consistent with the new Rules

• Ensure that there are technical means to provide copies of electronic PHI

29

Conclusions

A. The new Rules represent an evolution in enhancing the protection of and access to PHI.

B. HHS has made it clear that it intends to issue further guidance on many aspects of the new Rules.

C. Business Associates and other organizations that come in contact with health information should continue to monitor this space closely.

30

30

Crawford Advisors, LLC

200 International Circle, Suite 4500, Hunt Valley, MD 21031

Devon Square Two, 744 West Lancaster Avenue, Suite 215, Wayne, PA 19087

800.451.8519

www.CrawfordAdvisors.com

Via E-mail to: webinars@crawfordwebinars.com

To Download These Slides: http://www.crawfordwebinars.com

Questions & Requests: rcrawford@crawfordadvisors.com

Questions