HIPAA/HITECH and the Omnibus Final Rule: The Seven Most Important Things

Omnibus Final Rule:
The Seven Most Important Things
You Need to Know Now to Comply
Where value is law.
Jane Bello Burke
[email protected]
Amy L. Goerss
[email protected]
© 2012 Hodgson Russ LLP
The Key Changes
 HITECH Act-mandated changes now
codified in final rules
 Most HIPAA provisions directly apply to
Business Associates (BAs) of Covered
Entities (CEs)
 Business Associate re-defined
 Breach Notification – method for
conducting a breach analysis revised
 Consumer-oriented rights impact CEs:
 Right to electronic copy of medical record
 Sale, marketing, and fundraising restrictions
 Right to restrict disclosures
Important Dates
 Rules were “effective” March 26, 2013
 Except as otherwise provided,
compliance with most standards is
September 23, 2013
 Notable exception: Business Associate
Agreements (in some instances, have
until September 22, 2014 to conform
existing agreements)
Business Associate Defined
 HIPAA rules define “business
associate” generally to mean a person
who performs functions or activities on
behalf of, or certain services for, a
covered entity that involve the use or
disclosure of protected health
Business Associate Defined
 Business associate: other than a member of a covered
entity’s workforce, a person who:
 (i) On behalf of a covered entity creates, receives,
maintains, or transmits protected health information,
including claims processing or administration, data
analysis, processing or administration, utilization review,
quality assurance, patient safety activities, billing, benefit
management, practice management, and repricing; or
 (ii) Provides legal, actuarial, accounting, consulting, data
aggregation, management, administrative, accreditation,
or financial services to or for such covered entity, where
the provision of the service involves the disclosure of
protected health information from the covered entity or
from another business associate of the covered entity to
the person.
Business Associate Defined
A covered entity may be a business associate of another covered entity.
Business associate includes:
 A Health Information Organization, E-prescribing Gateway, or other person
that provides data transmission services with respect to protected health
information to a covered entity and that requires access on a routine basis to
such protected health information.
 A person that offers a personal health record to one or more individuals on
behalf of a covered entity.
 A subcontractor that creates, receives, maintains, or transmits protected
health information on behalf of the business associate.
Business associate does not include:
 A health care provider, with respect to disclosures by a covered entity to the
health care provider concerning the treatment of the individual.
 A covered entity participating in an organized health care arrangement
Business Associate Definition
 Includes organizations that provide data
transmissions of PHI involving access to
the PHI on a routine basis
 example: a vendor that contracts with a CE
to provide a personal health record
 exception: “mere conduits” such as USPS or
UPS, internet service providers
Business Associate Definition
 Subcontractors are included as business
 Those persons who provide services to a business
associate, other than in the capacity of a workforce
 HIPAA will apply to BAs even if you fail to
enter into a contract!
 If a Business Associate Agreement should be in
place, failure to have one will mean the CE (or BA)
is not in compliance with HIPAA
 A person may be liable under HIPAA regulations
as a BA without even knowing it is a BA
Breach Notification
 Big changes from the interim final rule
 Presumption of breach unless low
probability of “compromise”
 “Harm threshold” was eliminated
Breach Notification
 Breach means the acquisition, access,
use, or disclosure of protected health
information in a manner not permitted
under the Privacy Rule which
compromises the security or privacy of
the protected health information.
Breach Notification
 Interim final rule:
 “Compromises the security and privacy of
protected health information” was further
defined as “a significant risk of financial,
reputational, or other harm to the individual.”
 New omnibus rule:
 Any impermissible acquisition, access, use or
disclosure is presumed to be a breach unless
the CE/BA can demonstrate there is a “low
probability that the information has been
compromised” based on 4 enumerated factors.
Breach Notification
 Examples of breaches:
- PHI sent to the wrong recipient
- employee snooping
- lost paper records
- lost/stolen laptop or portable device
- computer virus/hacking
Breach Notification
 Implications?
 Follow the interim final rule standard until
September 23, 2013
 Strongly consider also evaluating under the
new standard
 Experts have suggested if the results are
different, with “no breach” determined
under the old standard … think again.
Patient Protections
 Patients have additional protections
over their PHI in the areas of:
Sale of PHI
Fundraising, and
Right to request certain restrictions on
 Under the old rules, certain treatment and health
care operations communications were not
considered marketing
 Now, even most treatment-related communications
will be considered marketing if the communications
are paid for by a third party
 If such a communication is desired, a covered entity
must obtain patient authorization
 Examples of exceptions: where no financial
remuneration is received, to recommend alternate
treatments or treatment settings; for case
management and care coordination.
Sale of PHI
 Similar to the concept of marketing, PHI
cannot be sold without patient
 The concept of “sale” was not addressed
in the old regulations
 Covered entities may now use additional
individual-related information to raise
funds for its own purposes
 Examples: in a hospital setting, a covered
entity could use the department in which a
person was treated, the treating physicians,
outcome information, and health insurance
status to target fundraising
 Must include the desired fundraising
activity in the Notice of Privacy Practices
The Individual's Right
to Request Restrictions
 The Omnibus Rule requires Covered Entities to agree
to restrict disclosures of an individual’s PHI:
 to a health plan;
 with respect to any PHI pertaining to items or
services for which the individual has paid in full.
 Industry Concerns
 Limitations
Expanded Patient Access
 Patients have a right to receive certain
medical records in electronic format if
they so choose
 Patients may request records be sent
directly to a third party
Individual Access to
Electronic Records
 Rationale:
 Patient Involvement Improves Outcomes
 Patient Access Facilitates Information Sharing with
Web-Based Personal Health Records
 If the Covered Entity maintains the records in
electronic format, the Covered Entity must provide
the individual with electronic access:
 in a form and format requested by the individual,
if the information is readily producible in that
format or, it not,
 in readable electronic form and format as the
Covered Entity and the individual mutually agree
What Can the Covered Entity
Charge for Electronic Records?
 Under the Privacy Rule, Covered Entities may impose
reasonable, cost-based fees for copying and postage.
 Costs are limited to labor for copying the
requested information, supplies for creating the
copy, postage (if applicable) and preparing a
summary in lieu of the PHI, if the individual
 The Omnibus Rule considers the cost of supplies for
creating the electronic copy (e.g., PDF) to be included
as part of the reasonable, cost-based fee.
 The fee must be both reasonable
 State law restrictions apply
The Right to Request
Transmission To a Third Party
 If an individual requests that the Covered Entity sent
PHI directly to a third party, the Covered Entity must
send the information to the third party.
 Individual must sign a written request that clearly
identifies the third party.
 Consider creating form of written request
Revised Notice of Privacy Practices
Required Content
 Required Content: In addition to existing Privacy Rule
requirements, NPP must inform individuals that:
 most uses and disclosures of psychotherapy notes (where
appropriate), uses and disclosures of PHI for marketing
purposes, and disclosures that constitute a sale of PHI require
 other uses and disclosures not described in the NPP will be
made only with authorization from the individual;
 if CE intends to contact an individual to raise funds, that
individuals may receive fundraising communications and
have right to opt out of receiving such communications
 Final Rule does not require NPP to include mechanism for
opting out of fundraising communications, but CEs may
include such information if they choose to do so.
Revised Notice of Privacy Practices
Required Content (cont’d)
 Individuals have right to restrict disclosures of PHI to
health plan where individual (or other person) pays out
of pocket in full for health care item or service
 only health care providers are required to include
such a statement in the NPP
 other CEs may retain existing language that CE is
not required to agree to a requested restriction
 Right to notification after breach of unsecured PHI
 statement that individual has a right to or will
receive notifications of breaches is sufficient
 statement need not be entity-specific, but CE may
opt to include more detailed information
Revised NPP: Distribution
 Under HIPAA, when health care provider with a direct
treatment relationship with an individual revises the
NPP, the health care provider must:
 make NPP available upon request on or after
effective date of the revision
 have the NPP available at the delivery site
 ok to post NPP in prominent location at delivery site
 if full notice is immediately available (e.g., on
table under posted summary) for individuals to
pick up without additional burden on their part
 not ok to require individual to ask for copy
 NB: Providers must give copy of NPP to, and obtain
acknowledgment of receipt from, new patients only
Revised NPP: Plain Language
 Obligation to take steps to communicate effectively
with individuals with disabilities
 E.g., making revised NPP or notice of material
changes to the NPP available in alternate formats,
such as Braille, large print, or audio
 To avoid overly complex NPPs, CEs may use a
‘‘layered notice’’ to implement the Rule’s provisions,
for example providing the individual with both:
 a short notice that briefly summarizes the
individual’s rights, as well as other information, and
 a longer notice, layered beneath the short notice that
contains all the elements required by the Rule
HITECH Enforcement: Key Terms
 “Willful Neglect” -- conscious, intentional failure or reckless
indifference to the obligation to comply with the
administrative simplification provision violated
 HITECH incorporates HIPAA concept
 Secretary must investigate complaint or conduct
compliance review where “preliminary investigation of
the facts … indicates a possible violation due to willful
 Secretary retains discretion where a preliminary review of
the facts indicates a degree of culpability less than willful
HITECH Enforcement: Key Terms
 “Reasonable Cause” -- an act or omission in which a CE or
BA knew, or by exercising reasonable diligence would have
known, that the act or omission violated an administrative
simplification provision, but in which the CE or BA did not
act with willful neglect
 See United States v. Boyle, 469 U.S. 241, 245 (1985)
(defining “reasonable cause” in context of U.S. tax laws)
 “Reasonable Diligence” -- the business care and prudence
expected from a person seeking to satisfy a legal requirement
under similar circumstances
HITECH Enforcement:
Penalty Structure
 CMP of not more than $100 for each violation, with total
amount imposed on a CE for all violations of an identical
requirement or prohibition during a calendar year not to
exceed $25,000
 Establishes, for violations on or after 2/18/2009, tiers of
increasing penalty amounts for violations based on
increasing levels of culpability associated with each tier
 For violations prior to 2/18/2009, retains pre-HITECH
maximum penalty amounts of not more than $100 per
violation and $25,000 for identical violations during CY
HITECH Penalties
(violations after 2/18/2009)
Violation Category
Each Violation
Did Not Know
Reasonable Cause
Willful NeglectCorrected
Willful NeglectNot Corrected
All violations of
provision in a
calendar year
Counting Violations
 Multiple Individuals Affected
 Number of identical violations = number of individuals
 Example: breach of unsecured PHI
 Continuing Violations
 Number of identical violations = number of days the entity
did not have appropriate safeguards in place to protect the
 Example: lack of appropriate safeguards for a period of time
If Impermissible Use or Disclosure + Lack of Safeguards,
HHS may calculate separate civil money penalty for each
Factors in Determining
Penalty Amount
 Nature and Extent of the Violation, including
 Number of Individuals Affected
 Time Period during which Violation Occurred
 Nature and Extent of Harm, including
 Whether Violation Caused Physical Harm;
 Whether Violation Resulted in Financial Harm
 Whether Violation Resulted in Harm to Individual's
Reputation, and
 Whether Violation Hindered Individual’s Ability to
Obtain Health Care;
 History of Prior Compliance
 Financial Condition of CE or BA
Next Steps:
 Review and update all HIPAA policies
and procedures and train staff on the
… but this is huge and may be intimidating,
so …
The Seven Most Important
Things to Do Next:
 Conduct a Risk Assessment of Most Significant Changes
 Understand situations triggering Breach Notification
 Update P&P, train staff
 Understand circumstances creating Business Associate
 Identify your BAs
 Update BAAs as necessary, execute new BAAs if none
 Identify situations where uses and disclosures require
authorization, including
 Marketing issues
 Sale of PHI
and update P&P accordingly
The Seven Most Important
Things to Do Next (cont’d):
 Understand individual’s right
 to access records in electronic format,
 to request restrictions on disclosure of certain records
 to request transmission of PHI to a third party
and update P&P accordingly
 Revise Notice of Privacy Practices regarding:
 Psychotherapy notes
 Marketing rules
 Sale of PHI
 Other uses and disclosures
 Fundraising communications
 Right to restrict certain disclosures to a health plan
 Right to breach notification
The Seven Most Important
Things to Do Next (cont’d):
 Educate employees
 marketing rules
 fundraising requirements
 prohibition against selling information
 right to access records in electronic format,
 right to request restrictions on certain disclosures
 right to request transmission to a third party
 breach notification requirements
 new penalty structure
Amy Goerss
[email protected]
Jane Bello Burke
[email protected]