Upload
nell-associates-sc
View
114
Download
0
Tags:
Embed Size (px)
Citation preview
1
Welcome!
Richard E. NellNell & Associates, S.C.
The health care facet of our group focuses on contract drafting, review and negotiation, as well as entity formation and regulatory compliance. Our practice encompasses all of the laws and regulations affecting the business of health care and HIPAA including Civil Monetary Penalties, EMTALA including defense of EMTALA proceedings, NPDB, tax exempt issues, practice management, professional licensure and medical staff issues.
Jesse A. BergGray Plant Mooty
Jesse counsels health care providers on federal and state anti kickback laws, the Stark physician self-referral law, Medicare and Medicaid reimbursement, enrollment and participation issues, HIPAA and state privacy and confidentiality matters, as well as federal and state antitrust issues. Jesse provides legal guidance to a variety of different types of health care providers.
2
Background on HIPAA and HITECH:Privacy and Security Regulations and
the Status of HITECH Regulations
Lorman Education Services: Medical Records Law
March 23, 2012
Richard E. NellNell & Associates, S.C.
Jesse A. BergGray Plant & Mooty
33
Key Changes Under HITECH
• Breach notification• Business associates subject to privacy, security rules• Accounting of Disclosure requirements• Access to PHI kept in EHR• Minimum Necessary Rule• Request for Restrictions on Disclosures• Disclosures for Marketing• Fundraising• Sale of PHI• HHS investigations and penalties required for cases
involving willful neglect• State attorneys general authorized to sue for HIPAA
violations• Adversely affected parties can recover a percentage of civil
monetary penalties or settlements
44
Effective Dates of Key HITECH Provisions2009
Feb. 17– CMPs applicable to BAs– State AGO enforcement
Aug. 24– Notification of breach interim
regulationsSep. 23
– Effective Date of Breach Notification regulations
2011Jan. 1
– Accounting for EHR disclosures (if EHR acquired after 1/1/09)
Feb. 17– Effective date for final regulations
on sale of EHRs or PHI– Criminal willful neglect effective
2010Feb. 17
– BA contracts required for certain entities
– BA’s security obligations– BA’s privacy obligations– Access to information in electronic
format– Request on restrictions for PHI
disclosures to plans when payment is out of pocket
– Conditions on certain communication as part of health care operations
Aug. 17– Guidance on minimum necessary rule– Proposed regulations on prohibition
on sale of EHRs or PHISep. 17
– Criminal willful neglect regulations
2014Jan 1
– Accounting for EHR disclosures (if EHR acquired as of 1/1/09)
5
HITECH Developments: where are we now?
• HITECH Act (Feb. 17, 2009)• Breach Notification Interim Final Rule
(74 FR 42740, Aug. 2009)– Effective Sep. 23, 2009
• HITECH Enforcement Interim Final Rule (74 FR 56123, Oct. 2009)– Effective Nov. 30, 2009
• HITECH Proposed Rule (July 2010)– Addresses HIPAA Privacy, Security &
Enforcement Rules
6
Overview of Proposed Regulations
• Dates:– Published July 14, 2010
(75 Fed. Reg. 40,868)– Deadline for submitting
comments was September 13, 2010
– Unless otherwise indicated, compliance date is 180 days after publication of Final Rule
– Later date for revising BA contracts
• Content:– Business associates– Enforcement– Electronic access– Marketing– Fundraising– Sale of PHI– Right to request restrictions – Minimum necessary– Notice of privacy practices– Research authorizations– Student immunization records– Decedent information
7
Modifications to Privacy, Security and
Enforcement Rules• Proposed modifications included:
– Require BAs to be subject to Security Rule and parts of Privacy Rule
• Written agreements between BAs and subcontractors
– Issue of whether amendments to BA contracts with Covered Entities is required
– New limitations on use and disclosure of PHI for marketing, fundraising
– Individual rights (access, requesting restrictions, notice of privacy practices)
– HHS sought guidance on “minimum necessary”
8
Modifications to Privacy, Security and
Enforcement Rules• Proposed regulations (July 14, 2010)
– Comment period closed on Sep. 13, 2010– No final rule to date, which means regulations
remain nonbinding
• HHS has indicated it will be issuing an “omnibus” HIPAA rule– Addressing penalties, breach notification and
issues from the July 2010 proposal
9
HIPAA Enforcement: A Perfect Storm
• Why?– Increased regulation and greater complexity
• HITECH and HIPAA• State laws
– Increasing volumes and types of information• EHRs• Mobile devices and locations• Social media• Online treatment options
– Increasing enforcement• Enhanced penalties• Aggressive regulators
10
HITECH Act
• Required Covered Entities to provide accounting of disclosures from an electronic health record to carry out treatment, payment and health care operations
• May 3, 2010: HHS issues request for information for HITECH AOD standard
1111
ACCOUNTING OF DISCLOSURES
Current Rule:
• Accounting of disclosures is required in only a limited number of instances –
• Accounting of disclosures not required for disclosures for Treatment, Payment or Health Care Operations
1212
ACCOUNTING OF DISCLOSURES
• Under HITECH, CEs and BAs will need to account for TPO disclosures if they use an EHR:– CEs that have EHR before 1/1/09 not bound
until 2014– CEs that acquire EHR after 1/1/09 bound on
1/1/11– Applies to 3 years prior to date on which
accounting requested– HHS can postpone compliance dates for two
years
13
Proposed AOD Regulations
• Issued May 31, 2011; comments accepted through Aug 1, 2011– 76 Fed. Reg. 31426 (May 31, 2011)
• Key components:– Created broad new access report right– Limited current AOD right
• Effective Dates– Access reports on 1/1/13 or 1/1/14– AOD requirement 240 days after final
regulations published
14
Right to AOD
• Scope of information subject to accounting is information in designated record set (DRS)
• Proposal would require the CE to include the disclosures of its BAs in the accounting.
• Reduces the accounting period to disclosures occurring during the previous 3 years, rather than 6 years.
15
Right to AOD
• Provides a list of the types of disclosures subject to the accounting:
– Public health– Judicial and administrative proceedings– Law enforcement– Avert threat to health/safety– Military and veterans activities– Dept. of state– Government programs providing public benefits– Workers compensation– Impermissible disclosures, unless constitutes a breach.
16
Right to AOD
• Modifies elements of the existing content requirements:
– An explanation of the type of PHI disclosed, instead of a brief description of the PHI disclosed
– A description of the purpose, instead of a statement of the purpose, in an effort to clarify that only a “minimum description is required if it reasonably informs the individual of the purpose.”
– Gives individuals the option to limit their accounting to either a particular time period, type of disclosure or recipient.
17
Access Report
• Covered entities required to provide an individual with an “access report” identifying who has accessed the individual’s electronic designated record set information.
• Access right does not extend to paper records.
18
Access Report
• Two major differences from HITECH Act statutory provisions:
– Provides an individual with the right to be informed of all persons who have accessed their record
• Regardless of whether the information was actually disclosed to someone outside of the entity’s workforce.
– Creates a new right to receive an access report with respect to the designated record set maintained by all covered entities, regardless of whether those entities have implemented EHRs.
• HITECH provided for accounting of disclosures from EHRs
19
Access Report
• HHS: new access right would not impose an unreasonable burden on covered entities
• HHS: under HIPAA Security Rule, electronic systems with designated record set information should currently be creating access logs with sufficient information to create an access report
20
Access Report
• Report must include the following elements: – date of the access– time of the access; – name of the individual, if available, or otherwise the
name of the entity who accessed the information– description of what information was accessed, if
available– description of the action by the user, if available
• Electronic DRS information will often reside on a number of distinct systems with separate access logs. HHS expects covered entities to aggregate that data into a single access report.
21
Access Report
• 30 day timeline for providing the access report
• Within the 30 day period, a covered entity also would need to include the access logs of its business associates that create, receive, maintain or transmit electronic designated record set information.
22
Access Report
• Covered entity would need to provide an individual with a notice of privacy practices that contains a statement of the individual’s right to receive both an accounting of disclosures of PHI and an access report.
• Because the access report requirement is new, it would require an amendment to existing privacy notices.
• Other changes to NPP as HITECH regulations are finalized?
23
Right to AOD
• Provision of an accounting of disclosures:– Timeframe for responding to an accounting request
decreased to 30 days– Must provide individuals with the accounting in the
form (e.g. paper or electronic) and format (i.e., compatible with a specific software application) requested by the individual, if readily producible
– May require the individual to submit the accounting request in writing (which includes electronic requests)
• Covered entity informs individuals of this requirement.
24
Problems with Proposed Regulations
• HHS recognizes that EHRs do not have technical capacity to allow HITECH accountings
• HHS believes HIPAA Security Rule already requires all access report information already to be tracked
• Fundamental “re-thinking” of regulators’ interpretation of Security Rule?
• Is this a reasonable burden to place on covered entities?
• What is the patient interest being advanced?
25
Minimum Necessary
• HITECH section 13405(b): Covered entity must limit PHI, to extent practicable, to limited data set, or, if necessary, to minimum necessary. HHS to issue guidance on what constitutes minimum necessary (at which time provision sunsets).
• HHS asked for comment on what guidance would be helpful to covered entities and BAs
• No change to current regulation
26
Electronic Access to PHI
• For ePHI, covered entity must provide electronic access:– In form and format requested by individual, if
readily producible, otherwise– Readable electronic form and format as
agreed to by CE and individual
• Must provide copy to individual’s designee:– Request must be in writing– Must clearly identify designated person
27
Electronic Access to PHI
• Covered entity may charge for:– Labor
• Time attributable to reviewing request and producing copy
– Cost of electronic media• CD, USB drive, or similar portable media/device• Can’t charge for access through portal, e-mail, or
PHR
• BA must provide PHI to covered entity, individual, or individual’s designee as set forth in BA agreement
27
2828
MARKETING
• Current rule: certain marketing-type activities are exempted from definition of “marketing” and are considered as part of treatment or healthcare operations
• Under HITECH, authorization is required for such disclosures if the CE receives direct or indirect payment in connection with the communication
• Effective Feb. 17, 2010
29
HITECH Audit Program
• HITECH required HHS to conduct periodic audits of Covered Entities & Business Associates
• 2 contracts (June, July 2011) with Booz Allen Hamilton and KPMG to engage in audits– Booz to identify “audit candidate information”– KPMG to develop audit protocol and conduct
audits
• Audits to conclude by Dec. 31, 2012
30
HITECH Audit Program
• Audits to include– Site visit (interview with CIO, legal counsel,
HIM/medical records director, other leaders)• Examination of physical features, operations and
adherence to policies
– Audit report:• Best practices noted; instances of noncompliance• Raw data (completed checklists, interview notes)• Recommendations for actions to address
compliance problems• Recommendations to HHS for corrective action
31
Right to Request Restrictions
• Covered entity must agree to individual’s request to restrict disclosure of PHI to health plan if:– PHI pertains solely to health care for which
individual (or person on behalf of individual other than health plan) has paid covered entity in full out of pocket
– Disclosure is for payment or health care operations purposes and not required by other law
32
Right to Request Restrictions
• Covered entity cannot require individual to pay out of pocket for all services if individual wishes to restrict disclosures regarding only certain services
• If individual’s payment not honored, and payment issue cannot otherwise be resolved with individual, covered entity may submit PHI to health plan for payment
• HHS asked for public comment on various operational issues
33
Notice of Privacy Practices
• Changes to NPPs– Statement regarding sale of PHI and other purposes
that require authorization– Statement regarding subsidized treatment
communications, if applicable, and that individual can opt out
– Statement regarding fundraising communications, including that individual can opt out
– Statement that covered entity must agree to restrict disclosure to health plan if individual pays out of pocket in full for health care service
34
Notice of Privacy Practices
• HHS requested comment:– Include specific statement on breach
notification?– Options for health plans to distribute revised
NPP• In next annual mailing to enrollees• Extension or waiver of current 60-day deadline• Retain 60-day deadline• Others?
35
Research Authorizations
• Covered entity can use one authorization form for use and disclosure of PHI in clinical trial and for PHI to be placed into repository (biospecimen storage)
• Requested comment on amount of specificity about future research uses needed in authorization– Do authorizations have to be research
specific?
36
Student Immunization Records
• Covered entity may disclose proof of immunization of child to schools in States with school entry laws– Written authorization not required– Need prior oral or written agreement from
parent
37
Decedent Information
• Decedent’s information is no longer PHI after 50-year period– Request for comment on proposal of 50 years
• Covered entity may disclose decedent’s PHI to family members and others who were involved in care/payment for care of decedent prior to death, unless inconsistent with prior expressed preference
38
Future HHS/OCR HITECH Activities
• Accounting of Disclosures Final Rule• Reports to Congress on Compliance,
Breach Notification• HIPAA Audit Program• State Attorneys General Enforcement• Minimum Necessary Guidance• De-identification Guidance• Final Rules on HITECH, Breach
Notification, Enforcement
39
Overview of HIPAA Privacy Rule: Application, Patient Access
Rights and Restrictions
Lorman Education Services: Medical Records Law
March 23, 2012
Richard E. NellNell & Associates, S.C.
Jesse A. BergGray Plant & Mooty
4040
The Privacy Rule
• The Privacy Rule Does Not Preempt State Law Where the Provision of State Law Relates to the Privacy of Health Information and Is Contrary to and More Stringent Than a Provision of the Privacy Rule
4141
The Privacy Rule
• The Privacy Rule Also Does Not Preempt:– State Laws That Provide for the Reporting of
Disease or Injury, Child Abuse, Birth or Death, or for the Conduct of Public Health Surveillance Investigation or Intervention;
– State Laws That Require a Health Plan to Report, or to Provide Access to Information, for the Purpose of Management or Financial Audits, Program Monitoring and Evaluation, Licensing, and Related Issues;
– Laws That the Secretary of HHS Has Determined Should Not Be Preempted
4242
Covered Entities
• Health Plans• Group Health Plans• Health Care Clearinghouses• Health Care Providers Who Engage in
Electronic Transactions
4343
Health Plans
• Individual or Group Plan That Pays for the Cost of Medical Care, Includes:– Health Insurance Issuer– HMO– Medicare– Medicaid– Medicare Supplement Policy
4444
Health Plans
• Long Term Care Policies (Excluding Nursing Home Fixed Indemnity)
• Employee Welfare Benefit Plan• Health Care Program for Active Military• Veteran’s Health Program• CHAMPUS• Indian Health Service Program
4545
Health Plans
• Federal Employees Health Benefits Program
• SCHIP• Medicare+Choice• High Risk Pool• Any Other Individual or Group Plan or
Combination
4646
Health Plans
• Excluded From Health Plans:– Policy, Plan, or Program to Extent it Provides
or Pays for Benefits Excepted Under the PHS Act
– A Government Funded Program (Other Than Those Listed) Whose Principal Purpose is Other Than Providing or Paying for Health Care or Direct Provision or Grants
– Workers Compensation, Automobile, Property and Casualty Insurance
4747
Group Health Plans
• How Most Employers Will Get Pulled Into HIPAA
• Employee Welfare Benefit Plan (ERISA)– Possibly Include Flex Plans, FSAs
• Insured and Self-Insured Plans• To Extent Plan Provides Medical Care to
Employees or Participants– 50 or More Participants OR– Administered by Third Party
4848
Health Care Clearinghouse
• Public or Private Entity Including:– Billing Service– Community Health Management Information
System– Community Health Information System
4949
Health Care Clearinghouse
• Does Either of the Following:– Processes Health Information From Another
Entity in Non-Standard Format or Non-Standard Data into Standard Data Elements or Standard Transaction; OR
– Vice-Versa
5050
Health Care Provider
• Provider of Services• Provider of Medical or Health Services• Provider of Health Care
5151
Health Care Provider
• Provider of Services– Hospital– Critical Access Hospital– Skilled Nursing Facility– Outpatient Rehab Facility– Home Health Agency– Hospice Program
5252
Health Care Provider
• Provider of Medical Services– Physician Services– Hospital Services– Diagnostic Services– Outpatient PT Services– Outpatient OT Services– Rural Health Clinic Services– Home Dialysis Supplies and Equipment
5353
Health Care Provider
• Provider of Medical Services Continued:– Self-Care Home Dialysis Support Services– Physician Assistant Services– Nurse Practitioner Services– Certified Nurse Midwife Services– Psychological Services– Clinical Social Worker Services– X-Ray Services
5454
Health Care Provider
• Provider of Medical Services Continued:– DME– Ambulance Services– Prosthetic Devices– Certified Nurse Anesthetist Services– Other Services, Which if Provided by
Physician, Would be Considered Physician Services
5555
Health Care Provider
• Only Health Care Providers Who Transmit Health Information in Electronic Form in Connection With a Transaction, Are Covered
• Electronic Does Not Include Facsimile
5656
Health Care Provider
• Transaction Means– Transmission Between Two Parties to Carry
Out Financial or Administrative Activities– Includes
• Health Care Claims• Health Care Payment and Remittance Advice• Coordination of Benefits• Enrollment and Disenrollment• Referral Certification
5757
HIPAA and Employers
• Only Certain Health Care Providers, Health Plans, and Health Care Clearinghouses Are Covered Entities
• Employers Not Generally Covered Unless Fall Under Above Definitions
• Caveat: Medical Information Provided to Employers and Employer Sponsored Group Health Plans
5858
What is Covered
• Protected Health Information– Also Known as “PHI”– Individually Identifiable Health Information– Transmitted Electronically– Maintained in any Media Described Under
HIPAA– Transmitted or Maintained in ANY OTHER
FORM
5959
Protected Health Information
• Individually Identifiable Health Information– Relates to Past, Present, or Future Physical or
Mental Health or Condition of an Individual– Provision of Health Care to Individual– Past, Present, or Future Payment for Health
Care to an Individual– That Identifies the Individual, or– Reasonably Used to Identify
6060
Protected Health Information
• Excludes– Education Records Under FERPA– Certain Other Records Defined Under FERPA– Employment Records Held by a Covered
Entity in Capacity as Employer
6161
Employment Records and PHI
• Definition of Protected Health Information (“PHI”) Specifically Excludes:
– Employment Records Held by a Covered Entity in its Role as Employer
• 45 C.F.R. § 165.501
• Example: Drug Testing or Fitness for Duty– Must be Provided to CE in Capacity as Employer– If Conducting Testing, Must Get Authorization to
Transmit to HR
• Example: Professional Sports Teams’ Player Information
6262
Personal Rights
• Overview– Covered Entities Must Grant Certain Rights to
Individuals– Informational Forms and Means of Access and
Accounting
6363
Notice of Privacy Practices
• Covered Entity Must Provide Notice of Uses and Disclosures of PHI
• Not Directly Applicable to Group Health Plans
6464
Notice of Privacy Practices
• Not Applicable to Inmates or Correctional Facilities
• Content– Written– Plain Language– No Prescribed Font Size
6565
Notice of Privacy Practices
• Elements– Header – Prominent, All Capital Letters– Description of Uses and Disclosures
• TPO• Other Purposes Without Authorization• Must Reflect More Stringent State Law• Those Disclosures Requiring Authorization• Right to Revoke Authorization
6666
Notice of Privacy Practices
• Specific Uses or Disclosures– Appointment Reminders– Treatment Alternatives– Fundraising– Group Plan Disclosure to Plan Sponsor– Marketing, per Restrictions– Health-Related Benefits/Communications
6767
Notice of Privacy Practices
• Individual Rights– Right to Request Restrictions– Right to Receive Confidential
Communications– Right to Access– Right to Amend– Right to Accounting– Right to Copy of Notice
6868
Notice of Privacy Practices
• Covered Entity’s Duties– Required by Law to Maintain Confidential– Required to Abide by Notice– May Only Change Privacy Practices Through
Revised Notice
• Complaint Process– Internal and DHHS
• Contact– Privacy Officer
• Effective Date
6969
Notice of Privacy Practices
• Optional Elements– Covered Entity May Further Restrict Use or
Disclosure– No Restriction on Legally-Required
Disclosures
• Revise– Covered Entity Must Promptly Revise and
Distribute if Material Change
7070
Notice of Privacy Practices
• Providing Notice– Health Plans
• No Later than Compliance Date• To New Enrollees at Time of Enrollment• Within 60 Days of Revision• At Least Once per Three Years• Provided to Named Insured Only
7171
Notice of Privacy Practices
• Health Care Providers– Direct Treatment Relationship– Date of First Service on or After April 14,
2003– In Emergency, May Provide When Reasonably
Practicable– Good Faith Effort to Obtain Written
Acknowledgment (Non-Emergency)– Document Failed Attempts
7272
Notice of Privacy Practices
• Electronic Notice– If Maintain Website, Must Post– If Requested, Provide Notice via Email– If Failed, or if Requests, Must Provide Paper
Copy– Good Faith Effort Must be Documented
7373
Notice of Privacy Practices
• Joint Notice– OHCA– All Covered Entities Must Abide by– Joint Notice Contains Elements Listed Above– States Entities in OHCA May Share PHI– OHCA Entities Now Provide the Notice– Entities Must Document Compliance
7474
Notice of Privacy Practices
• Changes to Privacy Practices– Notice Must be Revised– Revised Notice Available to Individuals– No Changes Prior to Effective Date of Notice– If Not Reserved Right to Change, Covered
Entity Bound for All Prior PHI Received– If Not Reserved, Change Only if
• Meets Requirements Above• Effective Only as to PHI Created/Received After
Date
7575
ACCESS TO PHI
• Effective Feb. 17, 2010 - CE which maintains an EHR is required:– To produce a copy of such PHI in
electronic format upon individual’s request
– To transmit an electronic copy directly to an entity designated by the individual if request is clear and specific
– Fees for this may not be greater than CE’s labor costs in responding to the request for the copy
7676
Access to PHI
• Individual Has Right of Access and Inspection
• No Right to Psychotherapy Notes, Information Compiled for Legal Proceeding, or Exempt Under CLIA
• May Deny Without Review if For Above, if For Inmate, if During Research, if Under Privacy Act, or if Obtained From Another Party
• Access to “Designated Record Set”
7777
Right of Access
• Must Provide Review if Refused Due to Endangerment, Due to Mention Another Person, or if Access by Personal Representative a Danger
• Response to Request Within 30 Days + 30 Day Extension
• If Reasonable, Must be in Requested Format or Summary if Acceptable; Cost-based Fee
7878
Denial of Access
• Provide Access to Non-Objectionable PHI• Written Denial, in Plain Language, of Basis
and Complaint Process• Notify Individual of Location if Not With
Covered Entity
7979
Right to Amendment
• Individual May Request Amendment to PHI
• Covered Entity May Deny if Not Its Record, Not Available for Access, or if Accurate
• Covered Entity May Require That in Writing and Provide Reason
• 60 Day Time Limit + 30 Day Extension
8080
Acceptance of Amendment
• Covered Entity Must Amend/Append Record
• Covered Entity Must Notify Individual• Covered Entity Must Notify Third Parties
and Business Associates of Amendment
8181
Denial of Amendment
• Must Provide Individual With Written Denial
• Provide Individual Right to Submit Statement in Disagreement
• Copies Sent Out to Third Parties• Covered Entity May Submit Rebuttal
Statement
82
Current Accounting of Disclosures Rule
• Individual has right to receive an accounting of disclosures of PHI by Covered Entity or its Business Associate up to 6 years prior to the the request
• CEs and BAs required to track PHI disclosures that fall under accounting rule:
– Date– Name of recipient of PHI (Address, if available)– Brief description of PHI– Purpose of the disclosure
83
Current Accounting of Disclosures Rule
• No tracking required:– For treatment– For payment– For healthcare operations– Incidental to permitted disclosures – Disclosures under an authorization
84
Current Accounting of Disclosures Rule
• No tracking required:– For the facility’s directory– To persons involved in the individual’s care– For national security or intelligence purposes
– To law enforcement officials or correctional institutions about an inmate
85
Current Accounting of Disclosures Rule:
• No tracking required:– As part of a limited data set, or information
that has been de-identified– Made prior to April 14, 2003– Made more than 6 years prior to the date of
the request
86
Current Accounting of Disclosures Rule
• Tracking required:– To the Secretary of DHHS– Required by law (e.g., mandated reporting
under state law)– For public health activities/reporting– About victims of abuse, neglect or domestic
violence– For health oversight activities (e.g., licensure
actions)
87
Current Accounting of Disclosures Rule
• Tracking required:– In response to a court order– In response to a subpoena or discovery
request – For law enforcement– To a medical examiner or funeral director, or
for cadaveric organ donations– For research where authorization is not
required
8888
Suspension of Accounting
• Temporarily Suspend Accounting if Health Oversight Agency or Law Enforcement Official Provides Statement
• If in Writing, for as Long as Specified• If Orally, for 30 Days
8989
Providing the Accounting
• Date of Disclosure• Name of Party Receiving• Description of PHI• Brief Statement of Purpose for Disclosure
or Copy of the Request• 60 Day Time Limit + 30 Day Extension
9090
Request for Restriction on Use or Disclosure of
PHI• Request for Restrictions on Any Aspect• Covered Entity Need Not Comply with Request• If Agree, Then may Not Disclose Except in
Emergency– Even Then, Must Obtain Assurance from Recipient That
Will Not Further Disclose– Not a Bar to Disclosures for Facility Directory (Unless
Otherwise Objects) or for Other Legally-Required Disclosures
• May Terminate Orally if Documented and Post-PHI Only
9191
RESTRICTIONS ON DISCLOSURES
• Effective Feb. 17, 2010, CE must agree to requested restrictions on disclosures of PHI if:
• Disclosure is to health plan for purposes of carrying out payment or health care operations; and
• PHI pertains solely to an item/service for which provider involved was paid out of pocket in full
92
Uses and Disclosures of PHI Including Authorization, Business
Associates, and Other Key Components
Lorman Education Services: Medical Records Law
March 23, 2012
Richard E. NellNell & Associates, S.C.
Jesse A. BergGray Plant & Mooty
9393
Uses or Disclosures
• Use and Disclosure for Treatment, Payment, and Health Care Operations (“TPO”)– Covered Entity Generally May Use and
Disclose PHI for TPO– No Consent – Now Notice of Privacy Practices– Treatment
• Use or Disclose to Any Provider
– Payment• Use or Disclose Minimum Necessary to Any Other
9494
Uses or Disclosures
• Health Care Operations– Quality Assurance Activities
• Quality Assessment and Guidelines, Case Mgmt.
– Professional Competency Activities• Accreditation, Credentialing, Licensing
– Insurance Activities• Underwriting, Premium Rating
– Compliance Activities• Fraud and Abuse Compliance
– Business Activities• Legal, Auditing, Business Planning, Sale of Practice
9595
Uses or Disclosures
• De-Identified Information– Not PHI– May Statistically Determine That PHI has
Been De-Identified• Qualified Individual Offer Professional Conclusion• Mathematically Not Identifiable
9696
Uses or Disclosures
• De-Identified Information Safe Harbor– Names– Geographic Subdivisions– Dates– Telephone Numbers– Facsimile Numbers– Email Address– Social Security Numbers– Medical Record Numbers– Health Plans Numbers
9797
Uses or Disclosures
• De-Identified Information Safe Harbor– Account Numbers– License Numbers– Vehicle Identifiers– Device Identifiers– URLs– Internet Addresses– Biometric – Finger and Voice Prints– Facial Photographs– Etc.
9898
PROHIBITION ON SALE OF PHI
• Effective Feb. 2011- HITECH prohibits CEs, BAs from receiving ANY payment for PHI, unless individual signs authorization
• Limited exceptions exist– Transfer in connection with sale or
merger of CE– Transfer for treatment, public health or
research activities– Providing individuals with copy of their
PHI• HHS to issue regulations by Aug. 2010
99
Sale of PHI
• Covered entity prohibited from disclosing PHI (without individual authorization) in exchange for remuneration
• If authorization obtained, authorization must state that disclosure will result in remuneration
• Exceptions:– Public health– Research, if remuneration limited to cost to
prepare and transmit PHI– Treatment & payment
100
Sale of PHI
• Exceptions (cont.)– Sale of business– Remuneration to BA for services rendered– Providing access or accounting to individual– Disclosure required by law– Where only remuneration received for
otherwise permitted disclosure is reasonable, cost-based fee to prepare and transmit PHI or fee otherwise expressly permitted by other law
101101
Authorization
• Elements– Meaningful Description of PHI– Identify Entities or Class Disclosing– Identify Entities or Class Receiving– Purpose– Expiration Date or Event– Individual’s Rights – Revocation– Marketing = Remuneration– Dated and Signed
102102
Authorization
• Typically Cannot Condition Treatment Upon Execution
• Allowed to Condition if for Third Party – Fitness for Duty, etc.
• Health Plan May Condition for Underwriting or Risk Rating
• Provider May Condition for Research
103103
Authorization
• Psychotherapy Notes Require• Marketing Requires• Research Typically Requires• Any Use or Disclosure Not Addressed by
the Rule
104104
Use and Disclosure of PHI
• Overview– “Use”
• Sharing, Employment, Application, Utilization, Examination, or Analysis of PHI Within the Covered Entity
– “Disclosure”• Release, Transfer, Provision of Access to, or
Divulging PHI In Any Manner Outside Covered Entity
105105
Use and Disclosure of PHI
• Mandatory Disclosures– CE Must Disclose to Individual or Personal
Representative– CE Must Disclose to DHHS for Investigation
106106
Other Uses or Disclosures Requiring Opportunity to
Object• Covered Entity may Use or Disclose PHI in
Limited Situations Based Upon Informal Permission
• Disclose to Family Members, Relatives, Individuals Identified Who Are Involved in Care or Treatment
• Use or Disclose for Facility Directory to Anyone Asking for by Name, Clergy
107107
Opportunity to Object
• Permission in Advance• No Documentation Required• If Emergency, May Disclose to Those
Involved in Care, if Professional Judgment Exercised
• Covered Entity May Release X-Rays, Rxs, Supplies to Person Acting on Individual’s Behalf, if Professional Judgment
108108
Other Uses or Disclosures Without Opportunity to
Object• Covered Entity Must Verify Identity of
Requester and Authority• Where Required by Law• Public Health Activities
– Reporting Disease– Reporting Vital Statistics– Reporting to FDA– Reporting to Employer– Reporting Communicable Diseases
109109
Disclosures Without Objection
• Victims of Abuse, Neglect, or Domestic Violence– Reasonably Believes and Required/Allowed
by Law– No Consent or Notification From/to
Individual if Danger– Notice to Personal Representative Unless
Harm
110110
Disclosures Without Objection
• Health Oversight Activities– Audits– Civil or Criminal Investigations– Not Where Individual’s Health is at Issue
111111
Disclosures Without Objection
• Law Enforcement– Where Required by Law– Information Must be Relevant– Minimum Necessary Disclosed
112112
Disclosures Without Objection
• Decedents– Disclose to Coroners, Medical Examiners, and
Funeral Directors to Carry out Duties
• Organ, Eye, or Tissue Donation– Use or Disclose PHI to Procurement
Organizations
113113
Disclosures Without Objection
• Research Purposes– Must Satisfy Conditions With Respect to IRB
Waiver
• To Avert Serious Threat to Public• Certain Specialized Governmental
Functions: National Security, VA, Military, Secret Service
• Workers Compensation Act
114114
Disclosures to Attorneys
• Subpoenas– Notice and Opportunity to Object or Move for
Qualified Protective Order (“QPO”)– QPO Not a Good Choice
• Would Appear to Require Return or Destruction• No “Not Feasible” Language in the Order
115115
Subpoenas
• Proposed Procedure– Notice Letter to Patient/Patient’s Attorney
• Allow for Reasonable Time (14 Days) to File Objection
• Dispute Over Notice to Attorney Only?
– Upon Conclusion of Time Period Send Subpoena, Copy of Notice Letter, and Cover Letter to Covered Entity
• One Package, Not Waiting on Objections
116116
Subpoena - Guidance
• A Copy of the Subpoena (or Other Lawful Process) is Sufficient When, On Its Face, It Meets the Requirements of 45 CFR 164.512(e)(1)(iii), Such as Demonstrating the Individual Who is the Subject of the PHI is a Party to the Litigation, Notice of the Request has Been Provided to the Individual or His or Her Attorney, and the Time for Objections has Elapsed and No Objections Were Filed or All Objections Have Been Resolved. When These Requirements are Evident on the Face of the Request, No Additional Documentation is Required.
• HHS FAQ #708
117117
Incidental Uses or Disclosures
• Where Covered Entity has Engaged in Reasonable Efforts to Safeguard PHI
• Minimum Necessary Utilized for Uses and Disclosures of PHI
• Unintentional or “Incidental” Uses or Disclosures Not Violation
• Byproduct of Otherwise Permissible Action
118118
MINIMUM NECESSARY RULE
• Current rule: – With certain exceptions, a CE must limit
uses and disclosures of PHI to the “minimum necessary” information for the purpose of the disclosure
• By Aug. 17, 2010, new regulations defining minimum necessary PHI
• Until that time, CE should limit PHI, to the extent practicable, to the “limited data set”– Excludes names, addresses, phone and fax
numbers, email, social security and medical record numbers and nine other identifiers
119119
Minimum Necessary
• Must Use or Disclose the Minimum Necessary PHI to Carry Out Task
• Specifically Restricted From Using Entire Medical Record
• May Reasonably Rely Upon Statement of Professional or Law Enforcement
• Internally, Restrict Access – Role-Based
120120
Minimum Necessary
• Exceptions– Treatment– Authorization– To the Individual– To DHHS– Where Required by Law, Including HIPAA
121121
Law Enforcement
• Disclosure for law enforcement purpose to law enforcement official– As required by law; reporting of
wounds/injuries– To comply with a court order or court-
ordered warrant, a subpoena or summons– In response to a grand jury subpoena – To respond to an administrative request– Only Minimum Necessary
122122
Law Enforcement Official
• Definition of Law Enforcement Official– Officer or employee of US, State, Tribe, or political
subdivision– Empowered by law to investigate or– Prosecute or conduct criminal, civil, or administrative
proceeding
• If requesting official unknown, Covered Entity must identify and verify authority of official
– CE may reasonably rely upon official’s representation that minimum necessary requested
123123
Required by Law
• To report PHI to law enforcement when required by law to do so(45 CFR 164.512(f)(1)(i))– Example, state laws commonly require
providers to report gunshot or stab wounds, or other violent injuries
– Required by law• Mandate contained in law compelling disclosure
which is enforceable in a courtof law
124124
Process
• Court order, court-ordered warrant, or a subpoena or summons issued by a judicial officer (45 CFR 164.512(f)(1)(ii)(A))– The Rule recognizes the legal process in
obtaining a court order protects the PHI– “Judicial Officer”
• Preamble originally required “finding”• Term is not defined – look to state law?• Appears to be different than “court”
125125
Grand Jury Subpoena
• To comply with a grand jury subpoena (45 CFR 164.512(f)(1)(ii)(B))– State or Federal Grand Jury– The Rule recognizes that the secrecy of the
grand jury process provides protections for the individual’s PHI
126126
Administrative Request
• To respond to an administrative request, such as an administrative subpoena or summons, civil or authorized investigative demand or similar process authorized under law (45 CFR 164.512(f)(1)(ii)(C))– May be without judicial involvement– Must provide that:
• PHI is relevant and material,• PHI is specific and limited in scope, and• De-identified information not sufficient
127127
Identification and Location
• Disclosure of limited information in response to request of law enforcement official for purpose of identifying or locating a suspect, fugitive, material witness, or missing person (45 CFR 164.512(f)(2))
• Only if “requested”– Request may be oral or written– Includes person acting on behalf of law enforcement
• E.g., media making announcement seeking public’s assistance in identifying suspect or “Wanted” Poster
128128
Limited Information
• Limited information to be disclosed:– Name and address– Date and place of birth– Social Security number– ABO blood type and rh factor– Type of injury– Date and time of treatment– Date and time of death– Distinguishing physical characteristics
• Height, weight, gender, race, hair and eye color,facial hair, scars, and tattoos
129129
Information Not to be Disclosed
• Except as otherwise permitted, following information not to be disclosed
• PHI relating to:– DNA or DNA analysis– Dental records– Typing, samples, or analysis of body fluids or
tissue
130130
Victims of Crime
• Disclosure of PHI in response to law enforcement official’s request for information about victim or suspected victim of crime (45 CFR 164.512(f)(3))
• Only if individual agrees– Agreement may be oral or written
• If unable to obtain agreement, other factors must be satisfied
131131
Victims of Crime
• Disclosure if individual agrees or• Lack of agreement due to incapacity or
emergency and– Law enforcement official represents PHI is needed to
determine if violation of law by person other than victim and not intended to be used against victim
– Law enforcement official represents that immediate action depends upon disclosure and would be materially and adversely impacted if waited; and
– Disclosure is in the bests interests of individual in professional judgment
132132
Workforce Victims
• No violation if workforce member who is the victim of a criminal act discloses PHI to a law enforcement official (45 CFR 164.502(j)(2))– PHI is about the suspected perpetrator– Only limited information (name, address,
SSN#, date of treatment, etc.)– Crime does not need to occur on premises
133133
Other Provisions on Victims
• Child abuse victims or adult victims of abuse, neglect or domestic violence, other provisions apply:– Child abuse or neglect reported to law
enforcement official authorized by law to receive such reports and agreement of individual is not required (45 CFR 164.512(b)(1)(ii))
134134
Business Associates
• Historically not Covered Directly by HIPAA
• Third Parties Who Use or Disclose PHI on Behalf of a Covered Entity, Other Than as Workforce Member
• Workforce Member– More Than Employees– Also Volunteers, Aides, Trainees, and Some
Agents
135135
Business Associates
• Examples– Claims Processing– Utilization Review– Quality Assurance– Billing– Legal– Accounting– Consulting
136136
Business Associates
• Covered Entity Must Obtain Satisfactory Assurances From Business Associate– Business Associate Agreement– If Public Entities, Memorandum of
Understanding– Covered in Greater Detail
137137
Identifying Business Associates
• Formal Definition– Person Who on Behalf of Covered Entity or
OHCA Performs or Assists in Activity Involving Use or Disclosure of PHI
• Including Claims Processing, Data Analysis or Processing, Billing, Etc.
• Or– Who Provides Legal, Actuarial, Accounting,
Consulting, or Similar Services Involving Use or Disclosure of PHI
• Not a Workforce Member
138138
Entities/Persons Not Business Associates
• Workforce Members– Workforce Includes employees, volunteers,
trainees, and Other Persons Conducting Work Under Direct Control of Covered Entity
– Look Beyond Titles– If Workstation on Site, Then Likely Workforce– If No BA Agreement, Then Presumed to be
Workforce
139139
Not Considered Business Associates
• Entity Not Using or Disclosing PHI– Regardless of Title– Examples: Janitors, Maintenance Services– Only Incidental Uses or Disclosures
140140
Not Business Associates
• OHCA– Organized Health Care Arrangement– Technical Relationship– Same Said Regarding Affiliated Covered
Entities (“ACE”)
141141
Not Business Associates
• Conduits– Entity or Person That Transports PHI, but
Only Accesses it Incidentally– Examples: US Mail, Couriers, Electronic
Transmitters
142142
Not Business Associates
• De-Identified Information– Where Identifying Factors Removed, No Need
to Protect– Any Person May Use or Disclose De-Identified
Information
143143
Not Business Associates
• Covered Entities– May Be Considered a Business Associate of
Another Covered Entity– If Acting as Business Associate, and Makes
Mistake, Then DHHS Will Treat as Covered Entity and Not Business Associate
144144
Business Associate Contract/Agreement
• Documents the Satisfactory Assurances• Prerequisite Before Covered Entity May
– Disclose PHI to the BA– Allow BA to Create PHI on Behalf of the
Covered Entity– Allow BA to Receive PHI on Behalf of the
Covered Entity
145145
No Business Associate Contract
or Agreement• Covered Entity Transmitting PHI to a
Provider for Treatment• Group Health Plan and Plan Sponsor, If
Otherwise Comply With Rule • Interagency Disclosure Among
Government Health Plans
146146
Business Associate Agreement
• Non-Governmental Entities– Written Contract Required– Permitted and Required Uses and Disclosures
of PHI– BA Not Further Use or Disclose– BA Use Appropriate Safeguards– BA Report Breach– BA Ensure Subcontractors Agree to Same
Terms
147147
Business Associate Agreement Terms
• Make PHI Available for Access• Make PHI Available for Amendment and
Incorporate Amendments• Make PHI Available to Prepare
Accounting• Compliance with DHHS Investigation• Return, Destroy, or Safeguard PHI
148148
Business Associate Agreement
• Covered Entity Must Be Able to Terminate if Violation
• Covered Entity Must Attempt to Mitigate or Cure Breach, and Report to DHHS
149149
Business Associate Agreement Additions
• Permit BA to Use or Disclose PHI to Provide Data Aggregation Services– Combining PHI From One Covered Entity,
with PHI of Another to Prepare Data Analysis That Relates to Operations of the Respective Covered Entities
150150
Business Associate Agreement Additions
• BA May USE PHI– Proper Management and Administration– Carry Out Legal Responsibilities
• BA May DISCLOSE PHI– Proper Management and Administration– Carry Out Legal Responsibilities– Reasonable Assurances Obtained
151151
Business Associate Model Contract
• Not State Law Compliant• Not All Essential Terms• Not All Desirable Terms
152152
Suggested Business Associate Agreement
Terms• Negotiating Power/Leverage Deciding Factor
– Large Provider vs. Small BA– JCAHO vs. Large Provider
• Damages/Liquidated Damages Clauses• Indemnification Clauses• Insurance Coverage Requirement• Burden of Proof• CE Will Oversee BA Response to Access,
Amendment, Accounting, and Any Other Disclosures
153153
Other Terms in Your BAA
• Many Covered Entities Require Indemnification Clause in Business Associate Agreement– Contractual Indemnity May Void Legal
Malpractice Insurance Coverage– Appears that Contractual Obligation Imposed
Under BAA Would be Covered
• Best Choice for Client May be No Indemnification Clause– Full Disclosure – Conflict of Interest?
154154
Other Aspects of Relationship
• Privacy Rule Requires Business Associate to Return or Destroy PHI Upon Conclusion or Termination of Relationship– Not Required if “Not Feasible” But Then Must
Extend Protections to PHI– Attorney Obligated to Maintain Records
155155
Accountability
• Penalties for Non-Compliance – On Covered Entity
• If Covered Entity Knew of Pattern or Practice That Constitutes Material Breach
– CE Must Take Steps to Cure Breach or End Violation– If Unsuccessful, CE May Terminate Agreement– If Termination Not Feasible, Then Report to DHHS– Not Obligated to Monitor– Must Investigate All Complaints– Must Act Upon Any Knowledge of Violation
156
New Definition of Business Associate?
• Health Information Organizations • E-Prescribing Gateways• Others that provide
– Data transmission services with respect to PHI and
– Require access on a routine basis to such PHI
• “Conduits” that only access PHI on random or infrequent basis to support transport are not BAs
157
Definition of Business Associate
• PHR vendors acting on behalf of covered entities are BAs– PHR vendor can be a BA with respect to only
some individuals
• Subcontractors– Treated as BAs if they create, receive,
maintain, or transmit PHI on behalf of a BA– BA must have BA agreement with
subcontractor BA– No BA agreement required between CE and
subcontractor BA
158
Business Associates
• BAs directly liable for:– Security Rule violations– Impermissible uses and disclosures under Privacy Rule
• Uses and disclosures must comply with Privacy Rule and business associate agreement
– Failure to disclose to Secretary or provide e-access– Minimum necessary rule
• Covered entities (and BAs) liable for acts of BAs acting as agents within scope of agency
• BA must take reasonable steps in response to impermissible pattern or practice of subcontractor BA
159
Business Associate Contracts—Amendments Required?
• HITECH statute said privacy and security requirements that apply to covered entities– “shall be incorporated into
business associate agreement”• Uncertainty as to whether this
required an actual amendment or provisions incorporated into BA contracts as matter of law
160
Business Associate Contracts—Amendments Required?
• Under Proposed Rule following provisions need to be added:– BAs to use appropriate safeguards and comply
with Security Rule with respect to E-PHI– BAs must report to CE any breach of unsecured
PHI– Enter into written agreements with
subcontractors that create/receive PHI on behalf of BA imposing same restrictions that apply to BA
– BAs must comply with Privacy Rule to extent BA is to carry out a CE’s obligation under the Privacy Rule
161
Compliance Date, Generally
• Covered entities and BAs will have 240 days from publication of final rule to comply– Rule will become effective 60 days after
publication– Additional 180-day compliance period
• Enforcement Rule changes effective immediately when final rule goes into effect
162
Compliance Date for Amending Business Associate Contracts
• If (1) a BA contract (compliant with pre-HITECH BA requirements) is entered into prior to publication date of Final Rule; and
• (2) that contract is not renewed or modified during the time period that is 60 days to 240 days after the publication of the final rule, then the contract deemed to be compliant until the earlier of:
– The date the contract is renewed or modified on or after the 240-day post-publication date; or
– The date that is one year and 240 days after publication of the Final Rule
• Bottom Line:– CEs and BAs will have up to 1 year and 8 months after
Final Rule published to revise BA agreements– BAs must comply with other applicable provisions of
Privacy and Security Rules during this transition period
163163
Notification by Business Associates
• BAs required to notify CE of breach• Notification to occur no later than 60 days after
discovery of breach• Breach treated as discovered by BA as of first
day breach is known to BA, or through reasonable diligence, would have been known
• BA deemed to have knowledge of breach if breach would have been known through reasonable diligence to anyone who is agent of BA
• If BA is an agent, then BA’s discovery of breach is imputed to CE
164164
Business Associates
• Historically were not covered directly by HIPAA– Generally liable only for breaching their
business associate agreement with a covered entity
• HITECH: – Clarifies that certain entities are BAs– Expands HIPAA requirements that apply to
BAs
165165
Business Associates—who is a BA?
• In the past, entities that provided networks or other hardware for data transmission were not considered BAs
• Under HITECH, entities that provide data transmission services and require access to PHI are BAs, including:– Health information exchange organizations– RHIOs– E-Prescribing gateways– PHR vendors that provide PHRs to covered
entities
166166
Business Associates—New Requirements
• HITECH: BAs are required to:– Notify CE if they discover a breach– Directly comply with HIPAA Security
Rule administrative, physical and technical safeguards and documentation requirements—as if they were CEs
– Means regulators may impose fines directly on BAs who fail to comply with Security Rule
167167
Business Associates—New Requirements
• HITECH: BAs are required to:– Use or disclose PHI only if such use or
disclosure is in compliance with the privacy provisions of their BA contracts
– Means BAs are subject to same penalties as CEs if they violate Privacy Rule
168168
Business Associates—New Requirements
• Other HITECH privacy and security requirements that apply to covered entities– “shall be incorporated into business
associate agreement”
169169
Business Associates—New Requirements
WHAT DOES THIS MEAN FOR BAs?• BAs must take action if they know of a pattern of
activity or practice by CE that constitutes a breach of the CE’s obligations under the contract:
– Reasonable steps to cure breach– Terminate the arrangement– Report the problem to HHS if termination is not
feasible• If BA does not do the above, it may be liable for
HIPAA penalties
170170
HIPAA and Attorneys
• Interaction of HIPAA Requirements Imposed Upon Attorneys via Business Associate Agreements
171171
Business Associates
• Business Associate Means a Person, Other Than a Workforce Member, Who:– Provides Legal, Actuarial, Accounting,
Consulting, …, Where the Provision of the Service Involves the Disclosure of Individually Identifiable Health Information
• Lawyers May Be Business Associates
172172
Business Associate Agreement
• Covered Entity Must Enter Into Business Associate Agreement With Lawyer if Using or Disclosing Protected Health Information (“PHI”)
• If Business Associate Fails to Comply, Covered Entity Must Do One of the Following:– Try to Cure Breach– Terminate the Agreement– Report Violation to DHHS
173173
Violation ofBusiness Associate
Agreement• If Business Associate Violates Agreement,
and Covered Entity Fails to Act, Then Covered Entity is Subject to Penalties
• Note that Business Associate Attorney is NOT Subject to Penalties– Privacy Rule Does Not Directly Govern
Business Associates
174174
Business Associate Agreement Terms
• Agreement Must Contain Specified Terms:– Permitted and Required Uses and Disclosures
of PHI– Required Safeguards for PHI– Ensure Subcontractors Comply– Make PHI Available for Access, Accounting,
and Amendment– Upon Termination, Return, Destroy, or Keep
in Accordance with Privacy Rule
175175
Business Associate Agreement
• Specified Terms of BA Agreement Include that Business Associate Must:– Make its Internal Practices, Books, and
Records Relating to the Use and Disclosure of Protected Health Information (“PHI”) Available to DHHS for Inspection to Determine Compliance
176176
Waiver/Loss of Protections
• BA Agreement Requirement That BA Attorney Must Make Internal Practices, Books, and Records Available– Could Result in Requiring Production of
Privileged and/or Work Product Materials– Issue Whether Must Produce to DHHS and
Whether Waives Protections as to Others
177
Overview of HIPAA Security Rule: Obligations of Covered Entities
and Business Associates
Lorman Education Services: Medical Records Law
March 23, 2012
Richard E. NellNell & Associates, S.C.
Jesse A. BergGray Plant & Mooty
178178
HIPAA Security Rule
• Security Rule– Addressable Implementation Specifications
(“AIS”)– Allows Covered Entities Additional Flexibility– Covered Entity Must Do One of the Following
• Implement One or More AIS• Implement One or More Alternative Security
Measures• Implement One or the Other• Implement Neither
179179
Security Rule
• Security Rule Administrative Safeguards– Security Management Process
• Implement Policies and Procedures to Prevent, Detect, Contain, and Correct Security Violations
• Implementation Analysis– Risk Analysis (Required)
» Conduct an Accurate and Thorough Assessment of the Potential Risks and Vulnerabilities to the Confidentiality, Integrity, and Availability of Electronic Protected Health Information
– Risk Management (Required)» Implement Security Measures Sufficient to Reduce
Risks and Vulnerabilities to a Reasonable and Appropriate Level
180180
Security Rule
• Security Rule Administrative Safeguards– Implementation Analysis (Continued)
• Sanction Policy (Required)– Appropriate Sanctions Against Workforce Members
Who Fail to Comply With the Security Policies and Procedures
• Information System Activity Review (Required)– Implement Procedures to Regularly Review Records
of Information System Activity, Such As Audit Logs, Access Reports, and Security Incident Tracking Reports
181181
Security Rule
• Security Rule Administrative Safeguards– Assigned Security Responsibility
• Identify the Security Official
– Workforce Security• Implement Policies and Procedures to Ensure That
All Members of Its Workforce Have Appropriate Access to Electronic Protected Health Information
• Prevent Those Workforce Members Who Do Not Have Access From Obtaining Access
182182
Security Rule
• Security Rule Administrative Safeguards– Workforce Security (Continued)
• Implementation Analysis– Authorization and/or Supervision (Addressable)
» Procedures for the Authorization And/or Supervision of Workforce Members Who Work With Electronic Protected Health Information
– Workforce Clearance Procedure (Addressable)» Procedures to Determine That the Access of a
Workforce Member to Electronic Protected Health Information
183183
Security Rule
• Security Rule Administrative Safeguards– Workforce Security Implementation Analysis
(Continued)• Termination Procedures (Addressable)
– Procedures for Terminating Access to Electronic PHI When Employment Ends
– Information Access Management• Implement Policies and Procedures for Authorizing
Access to Electronic Protected Health Information
184184
Security Rule
• Security Rule Administrative Safeguards– Information Access Management
Implementation Analysis• Isolating Clearinghouse Functions (Required)• Access Authorization (Addressable)
– Implement Policies and Procedures for Granting Access to Electronic Protected Health Information
• Access Establishment and Modification (Addressable)
– Implement Policies and Procedures That, Based Upon the Entity's Access Authorization Policies, Establish, Document, Review, and Modify a User's Right of Access
185185
Security Rule
• Security Rule Administrative Safeguards– Security Awareness and Training
• Implementation Analysis– Security Reminders (Addressable)
» Periodic Security Updates
– Protection From Malicious Software (Addressable)» Procedures for Guarding Against, Detecting, and
Reporting Malicious Software
– Log In Monitoring (Addressable)» Monitor Access and Discrepancies
– Password Management (Addressable)» Procedures for Creating, Changing, and Safeguarding
186186
Security Rule
• Security Rule Administrative Safeguards– Security Incident Procedures
• Implementation Analysis– Response and Reporting (Required)
» Identify and Respond to Suspected or Known Security Incidents; Mitigate Harmful Effects of Security Incidents and Document Security Incidents and Their Outcomes
187187
Security Rule
• Security Rule Administrative Safeguards– Contingency Plan
• Implementation Analysis– Data Backup Plan (Required)
» Procedures to Create and Maintain Retrievable Exact Copies of Electronic Protected Health Information
– Disaster Recovery Plan (Required)– Emergency Mode Operation Plan (Required)
» Procedures to Enable Continuation of Critical Business Processes for Protection of the Security of Electronic Protected Health Information While Operating in Emergency Mode
188188
Security Rule
• Security Rule Administrative Safeguards– Contingency Plan Implementation Analysis
(Continued)• Testing and Revision Procedures (Addressable)• Applications and Data Criticality Analysis
(Addressable)
– Evaluation• Implementation Analysis
– Periodic Technical and Nontechnical Evaluation, Based Initially Upon the Standards Implemented Under This Rule and Subsequently, in Response to Environmental or Operational Changes Affecting the Security of Electronic Protected Health Information
189189
Security Rule
• Security Rule Physical Safeguards– Facility Access Controls
• Implementation Analysis– Contingency Operations (Addressable)
» Procedures That Allow Facility Access in Support of Restoration of Lost Data
– Facility Security Plan (Addressable)» Procedures to Safeguard the Facility and the
Equipment
– Access Control and Validation Procedures (Addressable)
» Procedures to Control and Validate a Person's Access to Facilities Based on Their Role or Function
190190
Security Rule
• Security Rule Physical Safeguards– Facility Access Controls Implementation Analysis
(Continued)• Maintenance Records (Addressable)
– Procedures to Document Repairs and Modifications to the Physical Components of a Facility
– Workstation Use• Procedures That Specify the Proper Functions to Be
Performed, the Manner in Which Those Functions Are to Be Performed, and the Physical Attributes of the Surroundings of a Specific Workstation or Class of Workstation
– Workstation Security• Physical Safeguards for All Workstations
191191
Security Rule
• Security Rule Physical Safeguards– Device and Media Controls
• Implementation Analysis– Disposal (Required)– Media Reuse (Required)– Accountability (Addressable)– Data Backup and Storage (Addressable)
192192
Security Rule
• Security Rule Technical Safeguards– Access Control
• Implementation Analysis– Unique User Identification (Required)
» Unique Name And/or Number for Identifying and Tracking User Identity
– Emergency Access Procedure (Required)» Procedures for Obtaining Necessary Electronic
Protected Health Information During an Emergency
– Automatic Logoff (Addressable)– Encryption and Decryption (Addressable)
193193
Security Rule
• Security Rule Technical Safeguards– Audit Controls
• Hardware, Software, And/or Procedural Mechanisms That Record and Examine Activity in Information Systems
– Integrity• Procedures to Protect Electronic Protected Health
Information From Improper Alteration or Destruction
• Mechanism to Authenticate Electronic PHI (Addressable)
194194
Security Rule
• Security Rule Technical Safeguards– Person or Entity Authentication
• Procedures to Verify That a Person or Entity Seeking Access to Electronic Protected Health Information Is the One Claimed
– Transmission Security• Integrity Controls (Addressable)
– Security Measures to Ensure That Electronically Transmitted Electronic Protected Health Information Is Not Improperly Modified Without Detection
• Encryption (Addressable)
195195
Security Rule
• Security Rule Organizational Requirements– Business Associate Contracts
• Very Similar to the Requirements Imposed for Business Associates Under the Privacy Rule
– Group Health Plans• Except in Certain Situations, Group Health Plan
Must Ensure That Its Plan Documents Provide That the Plan Sponsor Will Reasonably and Appropriately Safeguard Electronic Protected Health Information Created, Received, Maintained, or Transmitted to or by the Plan Sponsor on Behalf of the Group Health Plan
196196
Security Rule
• Security Rule Policies and Procedures and Documentation Requirements– Policies and Procedures
• Implementation Analysis– Reasonable and Appropriate Policies and
Procedures to Comply With the Standards, Implementation Specifications, or Other Requirements
197197
Security Rule
• Security Rule Policies and Procedures• Documentation
– Implementation Analysis• Time Limit (Required)
– 6 Years
• Availability (Required)• Updates (Required)
198198
Security Rule
199
HIPAA Breach Notification
Lorman Education Services: Medical Records Law
March 23, 2012
Richard E. NellNell & Associates, S.C.
Jesse A. BergGray Plant & Mooty
200200
Breach Notification
• Previous Rule: – Covered Entities (“CEs”) must mitigate, to the extent
practicable, any harmful effect that is known to the CE of an unauthorized use or disclosure of PHI by the CE or its Business Associate (“BA”)
• HITECH established breach notification requirement for CEs and BAs
• “Interim” Final Regulations published on Aug. 24, 2009 (74 FR 42740)
– Regulations will be at 45 CFR Subpart D
• Effective on Sept. 23, 2009• 6-month delay in enforcement
201201
Breach Notification
• The Basics:– Covered Entities must provide notification to
individuals in event of breach of the security or privacy of unsecured PHI
– Notice must also be provided to HHS– BAs must provide notice to CEs
202
Breach Notification
• Interim Final Rule (Aug. 2009)– Effective Sept. 23, 2009– Final Rule submitted to OMB in May, 2010 but
withdrawn “for further consideration”
• Key elements:– Notification if breach of unsecured PHI and significant
risk of harm– “Unsecured” = unusable, unreadable or indecipherable– Notice w/in 60 days of discovery or date “should have
known.” Content requirements for notice– Notice to media and HHS if more than 500 people;
annual reporting to HHS if less than 500 people– Direct application to Covered Entities and BAs
203203
Key Terms—”Unsecured PHI”
• PHI not secured through use of a technology or methodology specified in Federal Register guidance published by HHS on 4/27/09 (74 FR 19006)– Encryption (as specified in Security Rule)– Destruction of media on which PHI is stored
or recorded
• Why secure your PHI?
204204
Breach Notification Analysis
• If your PHI is “unsecured,” a 3-step analysis applies:– Has there been an impermissible use or
disclosure of PHI under the Privacy Rule?– Has the impermissible use or disclosure
compromised the security or privacy of the PHI?
– Does an exception apply?
205205
Step 1—”Breach”
• The “acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E (the HIPAA privacy rule) which compromises the security or privacy of the PHI”– Information must be PHI– For disclosure, acquisition, etc., to be a
“breach” it must violate the Privacy Rule
206206
Step 2—”Compromises Security or Privacy of
PHI”• Harm threshold must be met for breach to
“compromise the security or privacy of the PHI”– Must pose a significant risk of financial,
reputational or other harm to the individual
• CEs and BAs must perform “risk assessment” to determine whether this threshold is met
• Documentation of risk assessment is key for CE, BA if they decide harm threshold has not been met
207207
Step 2—”Compromises Security or Privacy of
PHI”• Risk assessment factors:
– Status of person who impermissibly used or to whom the PHI was improperly disclosed
– Nature of mitigation efforts undertaken– Whether PHI was returned prior to being
accessed for improper purpose– Type and amount of PHI involved– If LDS was involved, whether the date of birth
and zip code are also excluded (if so, not a breach). Also, likelihood of re-association with individual is factor to be considered.
208208
Step 3—the “Exceptions”
• 3 Exceptions:– (1) Unintentional acquisition, access or use of
PHI by work force member or person acting under authority of CE or BA, if acquisition was made in good faith, within scope of authority and does not result in further impermissible use or disclosure
209209
Step 3—the “Exceptions”
• (2) Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE, BA (or OHCA in which CE participates) and information received is not further used or disclosed in an impermissible manner
210210
Step 3—the “Exceptions”
• (3) A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information
211211
Notification
• Breach discovered on the first day it is known, or by exercising reasonable diligence, would have been known
• Notice can be imputed to CE or BA from a variety of its representatives, including employees (other than the employee causing the breach) and from agents
212212
Timing of Notification
• All notifications must be made without unreasonable delay– No later than 60 calendar days after discovery– Burden on notifying entity to demonstrate
that• All required notifications were made• Explain any delays
• 60 day period not tolled by time spent in analysis or investigation
• Limited delay if requested by law enforcement
213213
Methods of Notice
• Notice must be– In writing– By first class mail– Sent to the last known address of individual (if
individual specified preference for email notification, that should be done)
– One or more mailings (as more information becomes available)
– If more than 500 residents of a state or jurisdiction are affected:
• Notices described above; and• Notification to prominent media outlets in state or
jurisdiction
214214
Methods of Notice
• Special circumstances notices:– If insufficient or out-of-date information and– Fewer than 10 affected people:
• By an alternative form of written notice, telephone or other means
– More than 10 affected people:• Conspicuous posting for 90 days on CEs homepage; or• Notice to major print or broadcast media• Must include toll-free phone number
• Notice to HHS:– If more than 500 individuals affected, notice must be
contemporaneous with notice to individuals – Can keep log of breaches affecting fewer people and
provide annually to HHS– HHS to publicize breached entities on its web site
215215
Content of Notice
• All notices, to the extent possible, must include:– Description of what happened, including date of
breach and date breach was discovered– Description of the types of unsecured PHI involved in
the breach– Steps individuals should take to protect themselves
from potential harm resulting from breach– Description of what CE is doing to investigate breach,
mitigate harm to the individual and protect against further breaches
– Contact procedures for individuals to ask questions or learn additional information, including toll-free number, email, web site or postal address
216
Wisconsin Law
Lorman Education Services: Medical Records Law
March 23, 2012
Richard E. NellNell & Associates, S.C.
Jesse A. BergGray Plant & Mooty
Applicable Medical Records Statutes &
Regulations• Wisconsin Statutes:
– 51.30(4): Access to Registration and Treatment Records– 134.97: Disposal of Records Containing Personal Information– 146.81-146.84: Health Care Records– 146.83: Access to Patient Health Care Records– 146.83(3f): Record Copy Fees– 153.50-153.55: Protection of Patient Confidentiality– 610.70: Disclosure of Personal medical Information– 146.82: Confidentiality of Patient Healthcare Records– 252.15: Restrictions on use of an HIV Test– 118.125: Pupil Records– 631.89: Restrictions on use of Genetic Test Results– 51.47: AODA Treatment for Minors without Parental Consent
217
Applicable Medical Records Statutes &
Regulations• DHS:
– 92: Confidentiality of Treatment Records– 94: Patient Rights and Resolution of Patient Grievances– 89.34: Residential Care Apartments & Complexes-
Rights of Tenants– 145.12: Certification of public heath dispensaries– 124.14: Medical Records Services– 105.36: Family Planning Clinics or Agencies– 104.01: Recipient rights– 109.51: Provider Responsibility– 134.47: Facilities servicing people with developmental
disabilities-Records– 120.30: Patient data elements considered patient-
identifiable– 105.16: Home Health Agencies (Medical Record)
218
Applicable Medical Records Statutes &
Regulations• DOC:
– 348.09: Records & Reporting– 346.28 : Medical Records
• DCF:– 53.06: Release of adoption information– 54.06: Child Placing Agencies- Records– 56.09: Care of Foster Children
219
Confidentiality of Patient Healthcare Records
• WSA 146.82- Confidentiality of Patient Healthcare Records– Default Rule: All patient healthcare records are confidential– Patient Healthcare Records may be released only to the
persons designated in Section 146.82– Disclosure must be made by informed consent of the patient
or person authorized by patient.– All consents must be in writing and include:
• Patients name• Purpose of disclosure• Type of professional making disclosure• Information to be disclosed• Entity to which disclosure is to be made• Time period during which consent is effective• Signature of patient • Relationship of signatory to patient (if not patient)• Date of execution
• Wis Stats 146.81(2)
220
Informed Consent Expectations
• Wis. Stats. 146.81- Informed Consent Expectations– Informed consent is not required for the following:
• Release of information necessary to conduct management or financial audits or evaluations of programs & services
• Research purposes under specific conditions• Various state agencies whose function it is to protect vulnerable
populations• Persons rendering assistance when a person’s life or health
appears to be in danger• A lawful court order• Parent, guardian, or legal custodian of a minor or incompetent
patient• Guardian of an adjudged incompetent patient• A personal representative of surviving spouse of a deceased patient
• Wis. Stats. 146.82(2), 146.81(5) and 148.82(2)
221
Who is the boss?
• HIPAA vs. Wis. Stats– Covered Entity vs. Custodian of Records– Protected Health Information (PHI) vs. Patient Healthcare
Records• Administrative requirements imposed by HIPAA generally
have no Wis. Law counterpart• Most issues are created by the interaction of HIPAA and
Wis. Law • HIPAA and Wis. Law both impose restrictions on the
disclosure of confidential medical information• Practical approach is to look first to HIPAA for baseline
guidance and then to Wis. Law for more stringent legal requirements
• Examples
222
Deceased Patient’s Medical Records
• HIPAA extends persons privacy rights into death• HIPAA requires release of records to authorized
individuals• HIPAA defers to state law to determine access
rights• Who is authorized in WI?
– Personal representatives and surviving spouses– If no Personal Rep. or surviving spouse, next
responsible member of the deceased’s family
• Behavioral Health Records
223
Pupil Records
• Federal Law (FERPA)• Wis. Stats. 118.125
– Adds to the FERPA definition– Defines Patient records within a school– Pupil physical record– Disclosure is subject to Wis. Stats 118.125(2)
• Exceptions to Patient Healthcare Records
224
Medical Record Confidentiality &
Litigation• Wis. Stats 804.10, 146.82 and 51.30• Discovery of healthcare records
– What to do when you receive a Subpoena or Medical Request
– Consent and HIPAA Authorization
• Mental Health, AODA records and Developmental Disabilities– Permitted discovery– “Lawful order”
225
Mental Health Records & Confidentiality
• HIPAA allows broad use of PHI for treatment, payment & health care operations without patient consent
• Wis. Stats 51.30 allows the release of mental health treatment records without patient authorization only within the facility where the patient is being treated
• Wisconsin allows the release of mental health treatment records without patient authorizations for billing or collection purposes only to DHFS or a county department
• Compliance with HIPAA does not mean compliance with Wisconsin Law
226
Summary
• Check application of HIPAA first• Check application of various Wisconsin
Statutes and Regulations• Choose most favorable provision for the
patient• When in doubt either:
– Seek informed consent; or– Call your attorney
227
228
Enforcement
Lorman Education Services: Medical Records Law
March 23, 2012
Richard E. NellNell & Associates, S.C.
Jesse A. BergGray Plant & Mooty
229
230
231
Enforcement Rule
• OCR will investigate and conduct compliance review when preliminary investigation indicates willful neglect
• OCR may proceed directly to formal enforcement without seeking informal resolution
• Definition of “reasonable cause” – Necessary for culpability tiers used under HITECH to
impose penalties
• Preamble includes examples of conduct triggering various tiers of culpability (and associated penalties)
232
Enforcement Rule
• Rule would eliminate exception from liability of CEs for civil monetary penalties for violations resulting from acts of agents if:
– Agent is BA– Compliant BA agreement in place– CE did not (1) know of pattern of activity or practice of
BA; and (2) did not fail to act as required by Privacy Rule/Security Rule with regard to such violations
• CEs directly liable for acts of BAs who are agents within meaning of federal common law
• BAs similarly liable for acts of their agents (including subcontractors and workforce members)
233233
HIPAA Enforcement Rule
• Investigation• Notice of Proposed Determination• Administrative Hearing• Appeal• Judicial Review• Informal Resolution
– Available at Any Time
234234
Enforcement Authority
• Secretary of HHS Delegated to the Administrator, CMS Authority to Investigate Noncompliance and Enforcement of Certain Regulations:
– Transaction and Code Set Rule– National Employer Identifier Number (“EIN”) Rule– Security Rule– National Provider Identifier Rule– National Plan Identifier Rule
• Delegation Does Not Include Authority with Respect to the Privacy Rule
– Delegated to the Office for Civil Rights
235235
Criminal Enforcement
• Previous rule: up to $250,000 in fines and 10 years in prison for disclosing or obtaining PHI with intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. Only a CE—not an employee or agent of CE—may be held criminally liable
• Under HITECH, penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by CE, regardless of whether such person is employed by CE
236236
Civil Enforcement
• Previous Rule: HHS may impose CMPs for failure to comply with the Privacy and Security Rules, with a maximum civil fine of $100 per violation and up to $25,000 for all violations of an identical type during a calendar year
• CMPs may not be imposed if:– The violation is a criminal offense under HIPAA’s
criminal penalty provisions– The person did not have actual or constructive
knowledge of the violation– The failure to comply with due to reasonable cause and
not to willful neglect and the failure to comply was corrected within 30 days of discovery
237237
Civil Enforcement under HITECH
• New approach to civil enforcement, with civil monetary penalties of varying amounts based on level of intent:
Level of Intent Amount of CMP
Person did not know, and through reasonable diligence, would not have known
$100 for each identical violation up to $25,000 for all identical violations, but no more than $1.5 million for all violations of this type within calendar year
Violation was due to reasonable cause and not willful neglect
$1,000 per violation up to $100,000 for all identical violations, with a cap of $1.5 million for all violations of this type within calendar year
Violation due to willful neglect but was corrected within 30 days
$10,000 per violation up to $250,000 for all identical violations, with a cap of $1.5 million for all violations of this type within calendar year
Violation due to willful neglect and was not corrected within 30 days
$50,000 per violation, with an annual cap of $1.5 million for all violations due to willful neglect that are not corrected within 30 days
238238
Federal Enforcement
• HHS required to investigate complaints if preliminary investigation indicates violation due to willful neglect
– If HHS finds violation due to willful neglect, penalties are mandatory
• Distribution of CMPs:– Proceeds from CMPs to go to OCR for purposes of
further Privacy and Security Rule enforcement activities– Portion will be paid directly to harmed individuals
• Similar to qui tam provisions in False Claims Act• HHS must issue regulations within 3 years to implement
this requirement
• HHS to conduct audits of CEs and BAs to ensure compliance with Privacy, Security Rules
239239
State Attorney General Enforcement
• AGOs authorized to bring civil action in federal court against persons who violate HIPAA if AGO has reason to believe that violation threatens or adversely affects any state resident
– Unless a federal action is pending
• Can enjoin violations and obtain damages: – $100 per separate violation with a cap of $25,000 for all
identical violations within calendar year– Costs and attorneys’ fees
• AGO required to give HHS notice of suit• HHS can intervene and take over action• HHS can also file appeals
240
State Attorney General Enforcement
• HITECH provides state AGOs authority to bring civil actions on behalf of residents for violations of Privacy & Security Rules
– AGO can obtain damages on behalf of residents and enjoin further violations
• OCR offered free training sessions for AGOs– Dallas, TX (Apr. 4-5, 2011)– Atlanta, GA (May 9-10, 2011)– Washington, DC (May 19-20, 2011)– San Francisco, CA (Jun. 13-14, 2011)
241241
Privacy Complaints
• Approximately 19,420 Privacy Complaints Filed With OCR Most Common Allegations Have Been:– Personal Medical Details Wrongly Disclosed– Information Was Poorly Protected– More Details Were Disclosed Than Necessary– Proper Authorization Was Not Obtained– Patients Frustrated in Attempting to Get
TheirOwn Records
• Washington Post June 5, 2006
242242
Security Complaints
• CMS Has Received Approximately 106 Security Complaints (as of last year)– Also Inappropriately Received 28 Privacy-
Related Complaints – To be Directed to OCR
• CMS Has Received Approximately 450 Transaction & Code Set Complaints– 129 Remain Open– Majority Involve Private Sector Organizations
• Health Information Privacy/Security Alert, Melamedia LLC May 22, 2006
243
Top 5 Issues in Enforcement
Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5
2010 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Notice
2009 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Complaints to Covered Entity
2008 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Complaints to Covered Entity
2007 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Notice
2006 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Notice
2005 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Mitigation
2004 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Authorizations
partial year 2003 Safeguards Impermissible Uses & Disclosures
Access Notice Minimum Necessary
244
Criminal HIPAA Enforcement
• Dr. Huping Zhou (April, 2010)– Sentenced to 4 months in prison, fined $2000– Pled to 4 misdemeanor counts of accessing
and reading medical records – Accessed system 323 times during 3-week
period after UCLA informed him he would be let go
– No attempt to improperly use or sell the PHI
245
Criminal HIPAA Enforcement
• Dr. Richard Alan Kaye– Indicted June 21, 2011 for “wrongful
disclosure” of PHI; maximum of 5 years in prison
– Medical director of psychiatric care center at Suffolk, VA hospital
– Treated patient between Aug. 20, 2007-Sep. 4, 2007
– 3 occasions in Feb. 2008, Dr. Kaye disclosed PHI to patient’s employer
– Did so under false pretenses that patient was a serious and imminent threat
246
State Attorney General Enforcement
• Health Net (July, 2010)– Connecticut AGO settled with insurer for
$250,000• Additional $500,000 contingent fund in event lost
PHI is used illegally• Corrective action plan
– Health Net lost hard drive with over 500,000 patients’ PHI
– Health Net delayed notifying individuals for 6 months
247
State Attorney General Enforcement
• WellPoint (July, 2011)– Indiana AGO settled with insurer for $100,000
• Reimbursement of up to $50,000 per individual for any losses resulting from identity theft
– 32,051 insurance applicants information were accessible to the public through unsecured website
– Information accessible between Oct. 23, 2009-Mar. 8, 2010.
• Consumer notified Well Point on Feb. 22, 2010• Individuals not notified by Well Point until Jun. 18,
2010
248
Enforcement
• Blue Cross Blue Shield of Tennessee (BCBST)– OCR expects a carefully designed, delivered
and monitored HIPAA compliance program– Agreed to pay US Department of Health and
Human Services $1.5 million to settle potential HIPAA violations
– Agreed to a corrective action plan to address gaps in its HIPAA compliance program
249
State Attorney General Enforcement
• Accretive Health, Inc.– July, 2011—laptop with 23,500 patients’ PHI
stolen from car– Accretive is business associate of Fairview and
North Memorial• FV and NM notified patients
– AG suit alleges Accretive violated HIPAA, state health records law, debt collection and consumer fraud statutes
– First action against business associate?– Status of HIPAA as to BAs?
250
Reported HIPAA Breaches in MN
Name of Covered Entity State
Business Associate Involved
Individuals Affected
Date of Breach Type of Breach
Location of BreachedInformation
Date Posted or Updated Summary
UnitedHealth Group--SACE MN 16291
1/26/2010
Unauthorized Access/Disclosure Paper 6/9/2010
UnitedHealth Group--SACE MN 735 3/2/2010
Theft, Unauthorized Access/Disclosure Paper 8/4/2010
On March 2, 2010, the covered entity, United, discovered that remittance forms containing member information that accompany paper checks were stolen. The invoices contained the protected health information of over 735 individuals. The protected health information involved member information that allowed providers to properly record claim payments and credit accounts on behalf of each member for whom United was making a payment. Following the breach, the covered entity notified its clients of the incident, placed notice in The Miami Herald, provided each member with a credit monitoring package, reviewed its payment and remittance information controls, and notified its provider call centers to remain on a high level alert to monitor all remittance payments.
251
Reported HIPAA Breaches in MN
Name of Covered Entity State
Business Associate Involved
Individuals Affected
Date of Breach Type of Breach
Location of BreachedInformation
Date Posted or Updated Summary
Mayo Clinic MN 17407/15/201
0
Unauthorized Access/Disclosure
Electronic Medical Record 9/20/2010
Following the breach, the covered entity: conducted an investigation; terminated the employee who had inappropriately accessed the PHI; re-educated its employees regarding patient privacy and access to PHI; enhanced its supervision of employees and monitoring of their access activity; notified individuals reasonably believed to have been affected and provided them with an information hotline and identity theft services at no cost, if so requested; placed a notice of the breach on its website and in the local newspaper; and submitted a breach report to OCR along with documentation of its voluntary compliance actions
UnitedHealth Group--SACE MN
CareCore National 1270 7/8/2010
Unauthorized Access/Disclosure Paper 10/7/2010
252
Reported HIPAA Breaches in MN
Name of Covered Entity State
Business Associate Involved
Individuals Affected
Date of Breach Type of Breach
Location of BreachedInformation
Date Posted or Updated Summary
Mankato Clinic MN 315911/2/201
0 Theft Laptop
North Memorial MNAccretive Health, Inc 2,800
7/25/2011 Theft Laptop
Fairview Health Services MN
Accretive Health, Inc 14,000
7/25/2011 Theft Laptop
Fairview Health Services MN 1,215
2/19/2011 Loss Paper
United Health Group Health Plan MN
Futurity First Insurance Group 3,994
7/28/2011 Theft
Other Portable Electronic Device
InStep Foot Clinic, P.A. MN 2,600
8/28/2011 Theft
Laptop, Electronic Medical Record
253
UCLA-Reagan (July 2011)
• Allegations that UCLA employees repeatedly accessed ePHI of patients
– Complaint filed on behalf of 2 celebrities – OCR investigation concluded that “numerous” other
patients’ ePHI improperly accessed between 2005-2008
– Alleged violations of both Privacy Rule and Security Rule
• UCLA paid $865,000 and agreed to corrective action plan and independent monitor of HIPAA compliance for 3 years
– 165 employees disciplined, 2 former employees face criminal charges
254
Mass. Gen. Hospital (Feb. 2011)
• Hospital employee left documents on subway train commute– 192 patient records (some with HIV/AIDS)
• HHS alleged violations of Privacy Rule• Mass. Gen agreed to pay $1 million and
implement CAP– P & Ps subject to HHS approval– Independent monitoring of HIPAA compliance– Submit compliance reports to HHS for 3 years
255
HIPAA and Other Issues in Electronic Medical Records
Lorman Education Services: Medical Records Law
March 23, 2012
Richard E. NellNell & Associates, S.C.
Jesse A. BergGray Plant & Mooty
256256
HITECH PHYSICIAN INCENTIVES
2011 2012 2013 20142011 $18K - - -2012 $12K $18K - -2013 $8K $12K $15K -2014 $4K $8K $12K $12K2015 $2K $4K $8K $8K2016 $0 $2K $4K $4K2017 $0 $0 $0 $0TOTAL $44K $44K $39K $24K
257
Meaningful Use Update
• Medicare program: up to $44,000 for eligible hospitals, professionals that demonstrate meaningful use of certified EHR technology
– Over 5 year period – To achieve maximum payments, participation must
begin by 2012– Failure to demonstrate MU by 2015 will result in
reimbursement reductions
• Medicaid program: up to $63,750 available over 6-year period
– Beneficiary volume requirements
258
Meaningful Use Update
• Registration for Medicare program began Jan. 3, 2011
– Registration for Medicaid program varies by state– MN DHS has indicated registration will begin at end of
2011
• Attestation period for Stage 1 compliance began April 18, 2011
• Meaningful use payments began in May, 2011– CMS: Within first month, more than 300 hospitals and
physicians qualified for incentives and received payments under Medicare program
– CMS: by end of May, more than $83 million dispersed under Medicaid program (7 states)
259
Meaningful Use Update
• July 3, 2011: last day for eligible hospitals to begin 90-day reporting period
• Oct. 3, 2011: last day for eligible professionals to begin 90-day reporting period
• Nov. 30, 2011: last day for eligible hospitals, CAHs to register and attest to receive incentive payments for 2011
• Feb. 29, 2012: last day for eligible professionals to register and attest to receive incentive payments for 2011
260
Meaningful Use Update
• July 6, 2011: Dr. Farzad Moshashari (National Health IT Coordinator) said he agreed with conclusion that Stage 2 should be delayed until 2014
• Proposed Stage 2 rule issued in March 2012
261
Meaningful Use Update
• Stage 2 and 3:– July 28, 2010 Final Rule on Meaningful Use (Stage 1)
did not propose specific regulatory language for Stages 2 or 3. CMS indicated:
• Stage 2 requirements by end of 2011• Stage 3 criteria by end of 2013
• In January 2011, the Health IT Policy Committee (HHS advisory committee) released for public comment preliminary recommendations for Stage 2 and 3 Meaningful Use
– In general, Stage 2 requires more thorough implementation of EHRs into daily practice and increased HIE
262
HITPC Preliminary Recommendations
Stage 2 Preliminary Recommendations
14 measures have higher standards
CPOE increased from 30% to 60%
Record demographics increased from 50% to 80%
Current requirement to perform “test” of HIE changed to “connect to at least three external providers”
8 new measures
List of care team members (including PCP) for 10% of patients in EHR
Hospitals only – 30% of medication orders automatically tracked via electronic administration recording
“Menu” measures would become “core” measures
263
Meaningful Use Update
• Feedback from stakeholders on HITPC recommendations:– Providers
• Consistent message: “slow down”• Learn from actual experience in Stage 1 before
requiring Stage 2 measures• Stage 2 should not start until at least 75% of
eligible hospitals and professionals have successfully reached Stage 1 and not before 2014
– Vendors• Need adequate lead time to be able to add new
functionalities to EHR products
264
Still Have Questions?
Richard E. NellNell & Associates, S.C.380 Main Avenue
De Pere, WI 54115
Phone: 920.339.6377
www.nellandassociates.com
Feel free to contact us after the seminar!
Jesse A. BergGray Plant Mooty500 IDS Center80 South 8th St
Minneapolis, MN 55402
Phone: 612.632.4444
www.gpm.law.com