1 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com NEW OBLIGATIONS UNDER HIPAA STEPHANIE WINER-SCHREIBER May 19, 2011
Dec 27, 2015
1California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS UNDER HIPAA
STEPHANIE WINER-SCHREIBERMay 19, 2011
2California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
OVERVIEW
I. RECENT DEVELOPMENTS – HITECH ACT
II. NEW OBLIGATIONS FOR COVERED ENTITIES
III. NEW OBLIGATIONS FOR BUSINESS ASSOCIATES
IV. ENFORCEMENT CHANGES
V. July 14, 2010 Proposed Rule
3California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
WHAT’S NEW? HITECH ACT OF 2009: HEALTH
INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT Effective February 17, 2010
Proposed Rule – July 14, 2010• Modifications to the HIPAA Privacy, Security, and
Enforcement Rules• NOT FINAL RULE• Comment period through September 13, 2010• Final Rule – Any time now!
4California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
KEY POINTS Extends the reach of privacy and security
protections beyond covered entities Imposes additional obligations on Business
Associates Authorizes greater access and rights to individuals Imposes State Attorney General oversight and
additional tiered penalties Proposed Rule attempts to clarify obligations for
both Covered Entities and Business Associates
5California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES Notice Obligations in the event of a
“breach” Even if not a “breach” it may still be a HIPAA
violation Individuals may request additional
restrictions: May request that a covered entity not
disclosure PHI to a health plan if the disclosure is for payment or healthcare operations (not treatment) AND the PHI pertains solely to a healthcare item or service for which the provider has been paid in full
• Issue for comment in Proposed Rule
6California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES
Further limitations on use of PHI – Minimum Necessary Requirements Safe Harbor Limited Data Set Retains current carve outs for
treatment HHS guidance pending comments
on Proposed Rule
7California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and
Accountings Accountings will be required for
treatment, payment and healthcare operations for disclosures made through an electronic health record
Accountings 3 years prior to request Compliance date dependent on date
of electronic health record
8California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and
Accountings – Cont. Current electronic health record users (as of
1/1/09) – applies to disclosures on or after 1/1/14
Others (acquire electronic health records after 1/1/09) later of 1/1/11 or date of acquisition
Secretary can set later effective date, but no later than 2016 or 2013 respectively
9California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES
Electronic Health Records and Accountings – Cont. Covered Entity may provide
accountings for itself and all BAs or May provide list of all BAs and their
contact information Possible modifications/expansions
based on Proposed Rule
10California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and
Accountings – Cont. Individuals may request information in an
electronic format if the covered entity uses or maintains an electronic health record
Fee may not be greater than the covered entity’s labor costs in responding to the request
May request to have it sent electronically to third party
Effective February 17, 2010
11California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES A covered entity and business associate
may not directly or indirectly receive remuneration in exchange for protected health information of an individual unless the covered entity obtains from the individual a valid authorization Effective 6 months following issuance of
HHS Rule There are proposed modifications in the
Proposed Rule There are exceptions ---
12California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES Exceptions:
public health activities research and the price charged reflects the costs of
preparation and transmittal of the data for such purpose
treatment (subject to future regulations by the Secretary)
Healthcare operations (Proposed Rule clarifications) activities pursuant to a business associate
agreement provision of information to an individual (in
accordance with a valid request) other exchanges approved by the Secretary
13California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES
New Marketing Requirements
Definition of Marketing – “A communication about a product or service that encourages recipients of the communication to purchase or use the product or service”
14California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES Marketing Exceptions:
Communications that encourage recipients to purchase or use the product will not be considered to be healthcare operations unless the communication is made: (i) to describe a health related product or service that is provided by or included in a plan of benefits of the covered entity making the communication, replacement of or enhancements to a health plan; and health related product or services available only to a health plan enrollee that add value to, but are not part of a plan of benefits; (ii) for treatment; or (iii) for case management or care coordination for the individual or to direct or recommend alternative treatments, therapies, healthcare providers or settings of care for the individual
15California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES Communications that fall within the
marketing exception: Are not marketing Still need to be permissible under the
Privacy Rule Typically characterized as healthcare
operations or treatment Are the only types of communications to
encourage the use or purchase of a product or service that can be considered healthcare operations
16California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR COVERED ENTITIES Marketing Exceptions Cont.
These communications cannot be healthcare operations if the Covered Entity received direct or indirect payment, unless:
The communication describes only a current prescribed drug or biologic and any payment is reasonable in amount – or
Covered Entity receives an authorization – or The communication is made by a BA on behalf of
a Covered Entity within the scope of the Business Associate Agreement
17California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR BUSINESS ASSOCIATES HIPAA Security Rule Regulations under
Sections 164.308, 164.310, 164.312, and 164.316 will become applicable to Business Associates These sections relate to administrative
safeguards, physical safeguards, technical safeguards, and documentation requirements
Potentially broader requirements under Proposed Rule
18California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR BUSINESS ASSOCIATES
Security Rule Examples: Administrative Safeguards:
Develop policies and procedures Appoint a security officer Establish sanctions for violations Provide security training Perform evaluations of effectiveness of
policies and procedures
19California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR BUSINESS ASSOCIATES
Security Rule Examples: Physical Safeguards:
Implement policies and procedures to limit physical access to information systems
Implement safeguards for workstation security
Develop policies for disposition of PHI on workstations
Develop policies and procedures for removal of hardware from facility
20California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR BUSINESS ASSOCIATES
Security Rule Examples: Technical Safeguards:
Assign unique names and/or numbers for tracking user identity
Establish mechanisms for auditing activity
Establish means of verifying users Establish means of restricting PHI
transmissions over an electronic network
21California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples:
Documentation Requirements: Policies must be in writing (or in electronic
format) Reports of actions and activities must be
maintained in writing or electronically Required documentation must be retained for at
least 6 years from the later of date of creation or date last in effect
Documentation must be periodically reviewed and modified as necessary
22California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR BUSINESS ASSOCIATES
Even if appropriate safeguards are in place, Business Associates should document compliance with each aspect of the Security Rule
Will require a risk assessment and appropriate policies and procedures
23California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Non Compliance –
Under HIPAA, if Covered Entity had knowledge that BA was not complying, then Covered Entity had obligation to cure, terminate contract or if not feasible, report to HHS
HITECH makes this obligation reciprocal If BA is aware of non compliance by Covered
Entity – BA has obligation to cure, terminate contract or if not feasible, report to HHS
Proposed Rule potentially modifies this further
24California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Business Associates may become directly
responsible for responding to requests for accountings Covered Entities may not want Business
Associates to take on this responsibility Business Associates – Increased obligations
for reporting breaches Business Associates – may want to encrypt PHI Will need to establish policies and protocols Proposed Rule includes additional obligations
25California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Business Associates will need to develop
policies and procedures regarding minimum necessary obligations
Business Associates and individuals (i.e. employees) may be held liable for violations No longer just a contractual breach Under Proposed Rule – greater overall
obligation to comply with Privacy Rule and increased definition of workforce
26California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
ENFORCEMENT CHANGES State Attorney Generals can bring civil
HIPAA actions A percentage of civil monetary penalties
will go to victims Civil monetary penalties are tiered and
the cap raised from $25,000 to $1.5 million annually per type of violation
Fines are mandatory if caused due to “willful neglect”
Extensive proposals in Proposed Rules
27California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
ENFORCEMENT CHANGES
HIPAA criminal penalties apply to individuals
Business Associates can be held liable
HHS may bring civil enforcement actions where the violation may be criminal but no criminal action is pursued
28California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
PROPOSED RULE Remember they are just PROPOSED
RULES and may change significantly Highlights thought process of HHS Significant areas of potential change
• Definition of Business Associate• Requirements for new Business Associate
Agreements• Obligations for Business Associates• Timeframes for compliance (including new Business
Associate Agreements)• Content for Privacy Notices• Changes with respect to marketing and fundraising
29California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
Questions?
Stephanie W. Schreiber, Esq. Buchanan Ingersoll & Rooney PC 20th Floor, One Oxford Centre Pittsburgh, PA 15219 Phone: 412-392-2148 FAX: 412-392-2128 email: [email protected]