1 HIPAA Regulations Update HIPAA Regulations Update What Covered Entities And Business Associates Actually Have To Do And When They Have To Do It HIPAA.
Post on 26-Dec-2015
213 Views
Preview:
Transcript
11
HIPAA Regulations HIPAA Regulations UpdateUpdate
What Covered Entities And Business Associates
Actually Have To Do And When They Have To Do It
HIPAA COWHIPAA COWFall Conference, October 15, 2010Fall Conference, October 15, 2010
Sarah Coyne and Tom ShorterSarah Coyne and Tom Shorter
22
Breach NotificationBreach Notification
We talked about this last year.We talked about this last year. Covered entities and business associates Covered entities and business associates
must notify patients and DHHS in the must notify patients and DHHS in the event of a breachevent of a breach
Ways to get off the reporting trainWays to get off the reporting train Interim final rule still in effect – published Interim final rule still in effect – published
August 24, 2009 (final rule drafted, August 24, 2009 (final rule drafted, released, withdrawn on July 28, 2010).released, withdrawn on July 28, 2010).
33
An Endpoint!An Endpoint!
PHI of patients deceased more than 50 PHI of patients deceased more than 50 years is no longer protected under HIPAA years is no longer protected under HIPAA (under proposed rules)(under proposed rules)
44
AHA Data Shows Poor Hospital AHA Data Shows Poor Hospital Compliance With HITECH Compliance With HITECH
2010 AHA survey of compliance officers2010 AHA survey of compliance officers 85% hospitals not HITECH-compliant85% hospitals not HITECH-compliant 41% of hospitals have 10 or more data 41% of hospitals have 10 or more data
breaches annuallybreaches annually
55
Family and FriendsFamily and Friends
Like Wisconsin, proposed HIPAA rules Like Wisconsin, proposed HIPAA rules clarify that certain disclosures to friends clarify that certain disclosures to friends and family are permissibleand family are permissible
Wisconsin – may release a "portion but Wisconsin – may release a "portion but not a copy" if any of the following:not a copy" if any of the following: patient agrees patient agrees emergency, emergency, family/ close friend notificationfamily/ close friend notification family/ close friend involved in carefamily/ close friend involved in care
66
RedisclosureRedisclosure
Original HIPAA stands: no protection for Original HIPAA stands: no protection for records redisclosed by recipient.records redisclosed by recipient.
Wisconsin - No redisclosure unless:Wisconsin - No redisclosure unless: Patient authorizesPatient authorizes Court ordersCourt orders Consistent with original purpose of disclosureConsistent with original purpose of disclosure
77
Minimum NecessaryMinimum NecessaryCurrent LawCurrent Law
Uses, disclosures, and requests should be Uses, disclosures, and requests should be limited to a limited data set, when practicablelimited to a limited data set, when practicable
If limited data set is not practicable, should be If limited data set is not practicable, should be limited to the minimum necessary to achieve the limited to the minimum necessary to achieve the purpose of use/disclosurepurpose of use/disclosure
The CE or BA disclosing gets to make the call The CE or BA disclosing gets to make the call on what is the minimum necessaryon what is the minimum necessary
88
Minimum NecessaryMinimum NecessaryProposed RuleProposed Rule
Proposed rule did NOT provide new Proposed rule did NOT provide new requirements to the minimum necessary requirements to the minimum necessary rule – so we are still stuck with the default rule – so we are still stuck with the default of a limited data set for nowof a limited data set for now
Solicited comments on what guidance Solicited comments on what guidance would be helpful to CEs and BAswould be helpful to CEs and BAs
99
Minimum NecessaryMinimum NecessaryWhat Do We Need To Do?What Do We Need To Do?
Revise BAAs and Privacy Rule policies Revise BAAs and Privacy Rule policies and procedures to limit use, disclosures, and procedures to limit use, disclosures, and requests to a limited data set (where and requests to a limited data set (where practicable) practicable) May need to revise again when new May need to revise again when new
provisions come out - some CEs have chosen provisions come out - some CEs have chosen to wait for further guidance to revise BAAsto wait for further guidance to revise BAAs
Make sure workforce members are aware Make sure workforce members are aware of changes to minimum necessary ruleof changes to minimum necessary rule
1010
MarketingMarketingCurrent LawCurrent Law
Three exceptions to the definition of Three exceptions to the definition of "marketing""marketing" Communications made to describe a Communications made to describe a
health-related product or service provided health-related product or service provided by the CEby the CE
Communications made for treatmentCommunications made for treatment Communications for case management or Communications for case management or
care coordination, or to direct or care coordination, or to direct or recommend alternative treatments, recommend alternative treatments, therapies, providers or settings of care therapies, providers or settings of care
1111
MarketingMarketingCurrent LawCurrent Law
Communications that previously fell out of Communications that previously fell out of the definition of "marketing" may now the definition of "marketing" may now constitute marketing if the CE receives constitute marketing if the CE receives payment from a third party for making the payment from a third party for making the communication (and will require patient communication (and will require patient authorization)authorization)
1212
MarketingMarketingCurrent LawCurrent Law
Limited exceptionsLimited exceptions A communication describing only a drug or A communication describing only a drug or
biologic the recipient is biologic the recipient is currently prescribedcurrently prescribed (payment must be reasonable)(payment must be reasonable)
A communication made by a BA on behalf of A communication made by a BA on behalf of the CE (and the communication does not the CE (and the communication does not violate the BAA)violate the BAA)
A communication pursuant to a valid patient A communication pursuant to a valid patient authorization, if the communication is made authorization, if the communication is made by the CEby the CE (obviously) (obviously)
1313
MarketingMarketingProposed RuleProposed Rule
Subsidized treatment communications do Subsidized treatment communications do notnot require authorization BUT they are require authorization BUT they are subject to notice and opt-outsubject to notice and opt-out Opt-out must be in the communication, must Opt-out must be in the communication, must
be relatively easy to opt outbe relatively easy to opt out NPPs must contain statement about NPPs must contain statement about
subsidized treatment communicationssubsidized treatment communications
1414
Marketing Marketing Proposed RulesProposed Rules
Only specified HCO communications Only specified HCO communications require authorization if CE receives require authorization if CE receives financial remuneration in exchange for financial remuneration in exchange for making the communicationmaking the communication Rule attempts to clarify differences between Rule attempts to clarify differences between
HCO and treatment communicationsHCO and treatment communications Defines "financial remuneration"Defines "financial remuneration"
1515
MarketingMarketingProposed RuleProposed Rule
Subsidized refill reminders and other Subsidized refill reminders and other communications about currently communications about currently prescribed drugs/biologics do not require prescribed drugs/biologics do not require authorization (payment must be authorization (payment must be reasonable)reasonable)
Face-to-face communications and Face-to-face communications and promotional gifts of nominal value still promotional gifts of nominal value still permittedpermitted
1616
MarketingMarketingWhat Do We Need To Do?What Do We Need To Do?
All arrangements where a CE receives All arrangements where a CE receives remuneration from a third party to make remuneration from a third party to make patient communications must be reviewed patient communications must be reviewed to see whether an authorization is requiredto see whether an authorization is required
Evaluate whether an exception appliesEvaluate whether an exception applies
If an exception does not apply, you will If an exception does not apply, you will need a patient authorizationneed a patient authorization
1717
FundraisingFundraisingCurrent LawCurrent Law
Must provide clear and conspicuous Must provide clear and conspicuous opportunity to opt-out of any further opportunity to opt-out of any further fundraising communicationsfundraising communications
Strict compliance with the opt-out, no more Strict compliance with the opt-out, no more reasonable efforts to complyreasonable efforts to comply
An individual's choice to opt out must be An individual's choice to opt out must be treated as a revocation of authorizationtreated as a revocation of authorization
1818
Fundraising Fundraising Proposed RuleProposed Rule
Minor clarificationsMinor clarifications Each fundraising communication to patient must Each fundraising communication to patient must
include clear and conspicuous opt-outinclude clear and conspicuous opt-out CE may not condition treatment or payment on an CE may not condition treatment or payment on an
individual's decisionindividual's decision If individual opts out, CE may not send further If individual opts out, CE may not send further
fundraising communicationsfundraising communications Statement in NPP still requiredStatement in NPP still required
Request for comment on PHI to be used in Request for comment on PHI to be used in fundraising communicationsfundraising communications
1919
FundraisingFundraisingWhat Do We Need To Do?What Do We Need To Do?
Implement system for tracking opt-out Implement system for tracking opt-out decisionsdecisions
Ensure all fundraising communications Ensure all fundraising communications have clear opt-out processhave clear opt-out process
Opt-out process may include phone or Opt-out process may include phone or email option but requiring individuals to email option but requiring individuals to write a letter may be an "undue burden"write a letter may be an "undue burden"
2020
Accounting From EHR For TPOAccounting From EHR For TPOCurrent Law (sort of)Current Law (sort of)
HITECH Act requirements are not yet effectiveHITECH Act requirements are not yet effective If you had EHR as of 1/1/09, effective date is 1/1/2014If you had EHR as of 1/1/09, effective date is 1/1/2014 If you adopted an EHR after 1/1/09, the effective date If you adopted an EHR after 1/1/09, the effective date
is the later of 1/1/11 or the date the EHR is acquiredis the later of 1/1/11 or the date the EHR is acquired As of the applicable effective date, if you have As of the applicable effective date, if you have
EHR, must account for disclosures EHR, must account for disclosures made made through EHRthrough EHR for treatment, payment, and health for treatment, payment, and health care operationscare operations
Must account for such disclosures for past three Must account for such disclosures for past three years (as opposed to six years for other years (as opposed to six years for other accounting requirements)accounting requirements)
2121
Accounting From EHR For TPOAccounting From EHR For TPOCurrent Law (sort of)Current Law (sort of)
Covered entities have the option of either: Covered entities have the option of either: Including the EHR disclosures made by their Including the EHR disclosures made by their
BAs in the same accounting of disclosures BAs in the same accounting of disclosures report, or report, or
Providing a list of their BAs who would then Providing a list of their BAs who would then be required to provide an accounting to the be required to provide an accounting to the patient (must include the contact information) patient (must include the contact information)
2222
Accounting From EHR For TPOAccounting From EHR For TPOCurrent Law (sort of)Current Law (sort of)
HITECH Act required creation of regulations HITECH Act required creation of regulations addressing what information should be collected addressing what information should be collected for accountings through EHR for accountings through EHR
Regulations should only require information that Regulations should only require information that takes into account:takes into account: The interests of the individuals in learning the The interests of the individuals in learning the
circumstances under which their PHI is being circumstances under which their PHI is being disclosed, and disclosed, and
The administrative burden for such accountingsThe administrative burden for such accountings
2323
Accounting From EHR For TPOAccounting From EHR For TPOProposed Rule (not yet)Proposed Rule (not yet)
Proposed rule was anticipated in June, Proposed rule was anticipated in June, 2010…didn't happen2010…didn't happen
Little guidance available on what Little guidance available on what information will be required for these types information will be required for these types of accountingsof accountings
2424
Accounting From EHRAccounting From EHRWhat Do We Need to Do?What Do We Need to Do?
Cross your fingers that the government Cross your fingers that the government proposes a reasonable rule…proposes a reasonable rule…
If you are going to purchase and implement an If you are going to purchase and implement an EHR, make sure it has accounting capabilitiesEHR, make sure it has accounting capabilities
If you already have an EHR, start to work with If you already have an EHR, start to work with your vendor on how to meet the accounting your vendor on how to meet the accounting requirements if it doesn't currently have this requirements if it doesn't currently have this functionalityfunctionality
2525
Security RuleSecurity RuleRisk Analysis GuidanceRisk Analysis Guidance
Guidance is based on NIST Guidance is based on NIST recommendationsrecommendations
Recognizes that the risk analysis methods Recognizes that the risk analysis methods will vary based on size, complexity, and will vary based on size, complexity, and capabilities of the organizationcapabilities of the organization
The result of the risk analysis determines The result of the risk analysis determines how the CE should approach the how the CE should approach the implementation specifications – implementation specifications – particularly addressable onesparticularly addressable ones
2626
Security RuleSecurity RuleRisk Analysis GuidanceRisk Analysis Guidance
Elements of a risk analysis:Elements of a risk analysis: Determine scope of risk analysisDetermine scope of risk analysis Identify where e-PHI is stored, received, maintained, Identify where e-PHI is stored, received, maintained,
transmittedtransmitted Identify threats and vulnerabilitiesIdentify threats and vulnerabilities Assess current security measuresAssess current security measures Determine the likelihood that a threat will occurDetermine the likelihood that a threat will occur Determine potential impact of potential threatsDetermine potential impact of potential threats Assign a risk level to identified threats/vulnerabilitiesAssign a risk level to identified threats/vulnerabilities Document assessmentDocument assessment
2727
Security RuleSecurity RuleRisk Analysis GuidanceRisk Analysis Guidance
Must document risk analysis process Must document risk analysis process Document assigned risk levels and a list of corrective Document assigned risk levels and a list of corrective
actions to be performed to mitigate each risk levelactions to be performed to mitigate each risk level Documentation helps justify decision for addressable Documentation helps justify decision for addressable
standardsstandards Must periodically review and update the risk Must periodically review and update the risk
assessment – ongoing processassessment – ongoing process Frequency will vary among CEsFrequency will vary among CEs Should be performed as technologies and business Should be performed as technologies and business
operations changeoperations change
2828
Risk Analysis GuidanceRisk Analysis GuidanceWhat Do We Need To Do?What Do We Need To Do?
Make sure you have documented your risk Make sure you have documented your risk analysisanalysis
Make sure your addressable implementation Make sure your addressable implementation specifications align with results of the risk specifications align with results of the risk analysisanalysis
Make sure you periodically review and update Make sure you periodically review and update your risk analysis (don't forget remote users and your risk analysis (don't forget remote users and portable devices!)portable devices!)
Update your security safeguards if necessary Update your security safeguards if necessary
2929
Security Safeguard TrendsSecurity Safeguard Trends
Encryption continues to become more and Encryption continues to become more and more important:more important: Encryption = exception to breach notificationEncryption = exception to breach notification
PHI is rendered unusable, unreadable, or PHI is rendered unusable, unreadable, or indecipherable if NIST encryption standards for indecipherable if NIST encryption standards for data at rest and in motion are followeddata at rest and in motion are followed
Not all encryption technology meet NIST standards Not all encryption technology meet NIST standards – check your technology – check your technology
Final Certification Rule = EHR certification Final Certification Rule = EHR certification requires encryption capabilitiesrequires encryption capabilities
3030
Security Safeguard TrendsSecurity Safeguard Trends
Destruction of PHIDestruction of PHI Exception to security breach notification if PHI Exception to security breach notification if PHI
has been destroyed as follows: has been destroyed as follows: Paper, film, and other hard copy media are Paper, film, and other hard copy media are
shredded or destroyed so PHI cannot be read or shredded or destroyed so PHI cannot be read or reconstructed (redaction is not sufficient)reconstructed (redaction is not sufficient)
Electronic media is cleared, purged, or destroyed Electronic media is cleared, purged, or destroyed consistent with NIST standards on media consistent with NIST standards on media sanitizationsanitization
3131
Security Safeguard TrendsSecurity Safeguard Trends HHS to issue annual guidance on the most HHS to issue annual guidance on the most
effective and appropriate technical safeguards – effective and appropriate technical safeguards – Risk Analysis was first in the series Risk Analysis was first in the series
For helpful Security Rule guidance, see:For helpful Security Rule guidance, see:http://www.hhs.gov/ocr/privacy/hipaa/http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/administrative/securityrule/securityruleguidance.html securityruleguidance.html Security Rule Educational SeriesSecurity Rule Educational Series Relevant NIST StandardsRelevant NIST Standards Risk Analysis GuidanceRisk Analysis Guidance Remote Use GuidanceRemote Use Guidance
3232
Business Associates Business Associates Current LawCurrent Law
Under HITECH, Business Associates are Under HITECH, Business Associates are DIRECTLY liable for compliance with DIRECTLY liable for compliance with Security Rule and uses and disclosures under Security Rule and uses and disclosures under Privacy RulePrivacy Rule
Requires affirmative compliance obligations – Requires affirmative compliance obligations – details clarified somewhat in proposed rules details clarified somewhat in proposed rules July 14 and will be further clarified in final July 14 and will be further clarified in final rules and other guidance.rules and other guidance.
3333
Business Associates Business Associates NPRMNPRM
Expansion of definition of BA to include:Expansion of definition of BA to include: Health Information OrganizationsHealth Information Organizations E-Prescribing GatewaysE-Prescribing Gateways Entities/individuals thatEntities/individuals that
Provide data transmissions services with respect Provide data transmissions services with respect to PHI ANDto PHI AND
Require access on a routine basis to that PHIRequire access on a routine basis to that PHI Definition will not include “conduits” only Definition will not include “conduits” only
accessing PHI on a random or infrequent accessing PHI on a random or infrequent basisbasis
3434
Business Associates Business Associates NPRMNPRM
Definition of BA will include Definition of BA will include SUBCONTRACTORS!SUBCONTRACTORS!
Endless downstream flow of obligationsEndless downstream flow of obligations
3535
Business Associates Business Associates NPRMNPRM
Reference patient safety activitiesReference patient safety activities Except certain entities from the BA Except certain entities from the BA
Agreement requirement, including:Agreement requirement, including: Some governmental agencies that perform Some governmental agencies that perform
enrollment and eligibility activities for another enrollment and eligibility activities for another governmental agency’s health plangovernmental agency’s health plan
3636
Business Associates Business Associates NPRMNPRM
Clarified liability of BAsClarified liability of BAs Will be directly liable for Security Rule Will be directly liable for Security Rule
violationsviolations Will be directly liable for impermissible uses Will be directly liable for impermissible uses
and/or disclosures under Privacy Ruleand/or disclosures under Privacy Rule Failure to disclose to Secretary or provide e-Failure to disclose to Secretary or provide e-
accessaccess
3737
Business Associates Business Associates NPRMNPRM
Changes to liability of CEsChanges to liability of CEs Will be liable for acts of BAs acting as CEs’ Will be liable for acts of BAs acting as CEs’
agents within scope of agencyagents within scope of agency
3838
Business AssociatesBusiness AssociatesTimingTiming
Continue to enter into and comply with BA Continue to enter into and comply with BA AgreementsAgreements Comply with requirements in the HITECH Act nowComply with requirements in the HITECH Act now
Proposed rules contemplate general compliance Proposed rules contemplate general compliance date of 180 days after effective date of final rulesdate of 180 days after effective date of final rules
Proposed rules contemplate a transition period Proposed rules contemplate a transition period for BAA revision ending on the earliest of:for BAA revision ending on the earliest of: When the BA relationship is changed in any way after When the BA relationship is changed in any way after
240 days from publication of final rule240 days from publication of final rule One year and 240 days after publication of final ruleOne year and 240 days after publication of final rule
3939
Business AssociatesBusiness AssociatesPractical GuidancePractical Guidance
Be prepared to act! Be prepared to act! BAs will be required to have BA Agreements BAs will be required to have BA Agreements
with Subcontractor BAswith Subcontractor BAs This is the BA's obligation, not the CE's This is the BA's obligation, not the CE's
obligation (although practically speaking, CEs obligation (although practically speaking, CEs should make sure it happens.)should make sure it happens.)
4040
Disclosing PHI to Health Plans Disclosing PHI to Health Plans Current LawCurrent Law
45 CFR 164.506. A covered entity may, without the individual’s authorization, use or disclose protected health information for its own treatment, payment, and health care operations activities. To avoid interfering with an individual’s access to To avoid interfering with an individual’s access to
quality health care or the efficient payment for such quality health care or the efficient payment for such health carehealth care
A health care provider may disclose protected health information about an individual as part of a claim for payment to a health plan.
4141
Disclosing PHI to Health Plans Disclosing PHI to Health Plans Current LawCurrent Law
““Payment” is defined as the activities of health care providers to Payment” is defined as the activities of health care providers to obtain payment or be reimbursed for their services and of a health obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. Payment activities reimbursement for the provision of health care. Payment activities include: include:
Determining eligibility or coverage under a plan and adjudicating claims; Determining eligibility or coverage under a plan and adjudicating claims; Risk adjustments; Risk adjustments; Billing and collection activities; Billing and collection activities; Reviewing health care services for medical necessity, coverage, Reviewing health care services for medical necessity, coverage,
justification of charges, and the like; justification of charges, and the like; Utilization review activities; and Utilization review activities; and Disclosures to consumer reporting agencies (limited to specified Disclosures to consumer reporting agencies (limited to specified
identifying information about the individual, his or her payment history, identifying information about the individual, his or her payment history, and identifying information about the covered entity). and identifying information about the covered entity).
4242
Disclosing PHI to Health Plans Disclosing PHI to Health Plans Current LawCurrent Law
A CE must limit disclosures of PHI for payment to the A CE must limit disclosures of PHI for payment to the Minimum NecessaryMinimum Necessary
A CE must develop role-based access policies and A CE must develop role-based access policies and procedures that limit which members of its workforce procedures that limit which members of its workforce may have access to PHI for payment based on those may have access to PHI for payment based on those who need access for their jobswho need access for their jobs
A CE may choose to obtain an individual’s consent for it A CE may choose to obtain an individual’s consent for it to use and disclose information for paymentto use and disclose information for payment
Individuals have the right to request restrictions on how a CE uses and discloses PHI about them for payment. A CE is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees.
4343
Disclosing PHI to Health PlansDisclosing PHI to Health PlansProposed RegulationsProposed Regulations
CE must agree to individual’s request to restrict disclosure of PHI to health plan if: PHI pertains solely to health care for which
individual (or person on behalf of individual other than health plan) has paid CE in full out of pocket
Disclosure is not required by other law
4444
Disclosing PHI to Health PlansDisclosing PHI to Health PlansProposed RegulationsProposed Regulations
CE cannot require individual to pay out of pocket for all services if that individual wishes to restrict disclosures regarding only certain services
If individual’s payment is not honored, and payment issue cannot otherwise be resolved with individual, covered entity may submit PHI to health plan for payment
NPRM requests public comment to resolve various operational issues
4545
EnforcementEnforcementCurrent LawCurrent Law
Sections 13409, 13410 and 13411 of the Sections 13409, 13410 and 13411 of the HITECH Act:HITECH Act: Criminal penalties for individuals such as employeesCriminal penalties for individuals such as employees Noncompliance due to “willful neglect”Noncompliance due to “willful neglect” Distribution of certain Civil Monetary Penalties Distribution of certain Civil Monetary Penalties Tiered increases in Civil Monetary PenaltiesTiered increases in Civil Monetary Penalties Enforcement by State Attorneys GeneralEnforcement by State Attorneys General AuditsAudits
4646
EnforcementEnforcementCurrent LawCurrent Law
Enforcement Interim Final Rule (IFR)Enforcement Interim Final Rule (IFR) Published Oct. 30, 2009; Effective November 30, 2009 Published Oct. 30, 2009; Effective November 30, 2009 Implemented Section 13410(d) of the HITECH Act by:Implemented Section 13410(d) of the HITECH Act by:
Setting four categories of violations reflecting increasing Setting four categories of violations reflecting increasing culpabilityculpability
Setting four corresponding tiers of penalty amounts, increasing Setting four corresponding tiers of penalty amounts, increasing minimum penalty amountsminimum penalty amounts
Establishing a maximum penalty amount of $1.5 million for all Establishing a maximum penalty amount of $1.5 million for all violations of an identical provisionviolations of an identical provision
Revised affirmative defenses Revised affirmative defenses Providing a prohibition on the imposition of penalties for any Providing a prohibition on the imposition of penalties for any
violation corrected within 30 days, if the violation was not due to violation corrected within 30 days, if the violation was not due to willful neglectwillful neglect
4747
Enforcement Under NPRMEnforcement Under NPRM
Incorporates "willful neglect" and gives Incorporates "willful neglect" and gives definitiondefinition
Mandates certain investigationsMandates certain investigations Increases ability of HHS to see PHI for Increases ability of HHS to see PHI for
enforcement investigationsenforcement investigations Gives definition to factors considered in Gives definition to factors considered in
investigationinvestigation
4848
Enforcement Under NPRMEnforcement Under NPRM
OCR will investigate if preliminary OCR will investigate if preliminary investigation indicates “willful neglect”investigation indicates “willful neglect”
OCR not required to seek informal OCR not required to seek informal resolution before proceeding to formal resolution before proceeding to formal enforcementenforcement
Revised definition of “reasonable cause”Revised definition of “reasonable cause” Guidance as to categories of culpability in Guidance as to categories of culpability in
preamblepreamble
4949
EnforcementEnforcementActions to Take NowActions to Take Now
Develop and implement HIPAA-compliant policies Develop and implement HIPAA-compliant policies and procedures and procedures
Properly secure PHI to access the Breach Notification Properly secure PHI to access the Breach Notification safe harborsafe harbor
Complete self-audits to confirm PHI is protectedComplete self-audits to confirm PHI is protected If a violation is discovered, act quickly to discontinue If a violation is discovered, act quickly to discontinue
and correctand correct Strengthen complaints process to resolve cases prior Strengthen complaints process to resolve cases prior
to federal claimto federal claim Observe HIPAA’s relevant remediation requirements Observe HIPAA’s relevant remediation requirements
5050
De-IdentificationDe-IdentificationCurrent LawCurrent Law
De-identification under 45 CFR §164.514 (b) Statistical approach:
a qualified statistical or scientific expert concludes, through the use of accepted analytic techniques, that
the risk the information could be used alone, or in combination with other reasonably available information, to identify the subject is very small.
5151
De-IdentificationDe-IdentificationCurrent LawCurrent Law
“Safe Harbor” approach permits a covered entity to consider data to be de-identified if It removes 18 types of identifiers (e.g., names,
dates, and geocodes on populations with less than 20,000 inhabitants)
It has no actual knowledge that the remaining information could be used to identify an individual, either alone or in combination with other information.
5252
De-IdentificationDe-IdentificationCurrent Law – Safe HarborCurrent Law – Safe Harbor
Names All dates except year and ages
>89 Fax SSN Health plan # Certificate/license # Device IDs and Serial #s IP address Full face photo Geographic subdivisions smaller Geographic subdivisions smaller
than state except for initial 3 of zip than state except for initial 3 of zip if it contains > 20,000if it contains > 20,000
Telephone #sTelephone #s Email addressesEmail addresses Medical Record #Medical Record # Account #Account # VINs and Vehicle Serial #sVINs and Vehicle Serial #s URLsURLs Biometric identifiers, i.e. finger or voice Biometric identifiers, i.e. finger or voice
printsprints Any other unique ID #s, characteristics Any other unique ID #s, characteristics
or codesor codes
Must remove the following identifiers of the individual, relatives, employers, and household members:
5353
De-IdentificationDe-Identification2010 Workshop2010 Workshop
OCR hosted a Workshop on the Privacy OCR hosted a Workshop on the Privacy Rule’s De-Identification Standard in March Rule’s De-Identification Standard in March 20102010 OCR will use information gained through
workshop to develop the guidance required & supported by ARRA.
OCR accepted comments after posting OCR promised guidance on its web site All materials developed for workshop are
posted on OCR web site.
5454
De-IdentificationDe-IdentificationPractical GuidancePractical Guidance
Even if fit within a safe harbor, are there other sources of liability for sharing de-identified data?
If a CE or BA shares de-identified data, an agreement between the parties should prohibit the recipient from attempting to re-identify individuals.
Require security measures even for de-identified information
Require use of limited access datasets Require education of training of staff de-identifying data
5555
Questions?Questions?
Sarah CoyneSarah Coyne
(608) 283-2435 (608) 283-2435
sarah.coyne@quarles.com sarah.coyne@quarles.com
Quarles & Brady LLP Quarles & Brady LLP
Tom ShorterTom Shorter
(608) 284-2239 (608) 284-2239
tshorter@gklaw.com tshorter@gklaw.com
Godfrey & Kahn, S.C.Godfrey & Kahn, S.C.
top related