The U.S. Department of Health and Human Services (“HHS”) announced last week that Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for more than $1.2 Million because it failed to wipe the hard drives when it returned leased photocopiers.
This settlement is the most recent in a long line of breaches which triggered self-reporting obligations. By now, HIPAA covered entities are certainly familiar with the concept of media notification. This settlement, however, highlights a different type of media notification — one which is to be avoided. Continue Reading
Join us for a complimentary webinar to further discuss the release of the final omnibus HIPAA rule by the U.S. Department of Health and Human Services. The new rule includes sweeping changes to the HIPAA Privacy and Security Rules.
Tuesday, May 21, 2013
Noon – 12:30 p.m. (Eastern Time)
- Analysis of unauthorized access, use, or disclosure
- Meaning of “breach”
- Documentation requirements
- Notification requirements – affected individuals, media, and HHS
- Breach prevention
- Robust compliance efforts
- Insurance products
Click here to register or for more information.
Many thanks to our colleague, Robin Canowitz, for submitting the following guest post.
Implementing an Electronic Medical Record (“EMR”) brings many clinical and economic benefits to an institution. These benefits, however, are accompanied a variety of unique HIPAA and other privacy challenges. Questions often arise regarding who should have access to records, how to limit access to portions of the medical record involving alcohol and drug abuse, mental health issues, sexually transmitted diseases, and other sensitive categories of PHI. When treatment of minors is involved, the issues become even more complicated. Set forth below is a discussion of a few such issues we frequently encounter. Continue Reading
Please join us this Tuesday, March 19, 2013 for a complimentary webinar to further discuss the release of the Final Omnibus HIPAA Rule by the U.S. Department of Health and Human Services. This is the first in a three-part miniseries following last month’s webinar, where we focused generally on the sweeping changes to the HIPAA Privacy and Security Rules.
On Tuesday from noon until 12:30, we will explore the changes to the Privacy Rule, including:
- Greater restrictions on provider use and disclosure of PHI;
- Increased individual rights to PHI; and
- What must be done by September.
The webinar will probe into marketing and fundraising involving PHI, how providers can best respond to patients’ requests for their health information, and how your organization should address these changes both internally (via employee training and updating policies and procedures) and externally (by revising the notice of privacy practices).
To RSVP, or for more information, contact Kayla Allen at firstname.lastname@example.org.
Much has been made about business associates in HITECH and the HIPAA Final Omnibus Rule. In a previous post and in our webinar we hit on the high points – that much of HIPAA applies directly to business associates, and that business associates themselves have obligations relative to their business associates. Indeed, not only do “traditional” business associates have increased compliance obligations, but so do their vendors – many of whom might be entirely unaware of this fast-moving train barreling down the tracks.
With compliance deadlines around the corner, providers are likely wondering what this means for them. Most are quite familiar with the HIPAA requirement that they have a business associate agreement (“BAA”) in place with their business associates. For many, this has historically been nothing more than a low-priority fomality. Now, they must ensure that these agreements adequately address downstream compliance obligations, in particular those related to an unauthorized access, use, or disclosure of PHI. More fundamentally, providers will need to be more vigilant in identifying their business associates. And, due to increased enforcement, providers may wish to shepherd their business associates as they strive to become compliant with HIPAA, and even consider periodically auditing these vendors for HIPAA compliance. As part of this process, which will be discussed in greater detail below, we suggest that providers consider educating their business associates on identifying subcontractors and making these vendors aware of their own HIPAA compliance obligations. Continue Reading
As we mentioned in last week’s Webinar on the HIPAA Final Omnibus Rule, there are less than nine short months for covered entities and their business associates (and all downstream business associates) to comply with the HIPAA final rules. For those entities that have already taken steps following the release of the HITECH interim rules, the task may be a little less daunting (although policies, procedures, and NPPs must also be updated following release of the final rule), but for covered entities and business associates that have taken a “wait and see” approach to the final rule, the compliance clock is now running. September 23, 2013 is just 219 days away.
Here is a list of the key issues that every covered entity and business associate must address before September 23, 2013:
- Perform or update a Security Rule risk assessment to identify the potential risks and vulnerabilities of electronic PHI (a similar gap analysis should be performed to identify the risks and vulnerabilities of all PHI, i.e. paper files, x-rays, etc.). This is a foundational requirement that is the basis for implementing safeguards and policies that comply with the HIPAA Security and Privacy Rules.
- Encrypt, encrypt, encrypt.
- Develop or update HIPAA policies and procedures, including policies and procedures that address mobile devices and social media.
- Update and distribute Notice of Privacy Practices to reflect the provisions in the final Omnibus HIPAA rule.
- Review and update all business associate agreements to include and/or clarify breach notification provisions, indemnification obligations, and cyber-insurance requirements.
- Business associates must enter into business associate agreements with their downstream vendors who handle PHI. Covered entities, when contracting with their business associates, should review their business associates’ downstream vendor business associate agreements as part of their own due diligence.
- Develop or update breach response plan to include Final Rule’s new objective test for determining whether you have a reportable breach.
- Ensure that all employees are trained regularly to comply with your HIPAA policies and procedures. Consistently discipline employees who violate HIPAA policies and procedures.
- Consider procuring data breach/cyber insurance to cover the costs of a breach (which could include the following costs: investigation — including a forensic analysis, mitigation, notification, legal, PR, credit monitoring, fines and penalties).
We will begin a series of blog posts next week which will further analyze each of the changes in the Final Omnibus HIPAA Rule.
Presented by Vorys, Sater, Seymour and Pease LLP
On Thursday, Feb. 7, at noon, HealtHITech Law bloggers Lisa Reisz and Liam Gruzs will host a webinar discussing the release of the long-awaited final omnibus HIPAA rule by the U.S. Department of Health and Human Services. The new rule includes sweeping changes to the HIPAA Privacy and Security Rules.
The omnibus final rule is comprised of the following four final rules:
- Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by HITECH
- Final rule adopting changes to HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty structure provided by HITECH
- Final rule on breach notification for unsecured PHI under HITECH, which replaces the breach notification rule’s “harm” threshold with a more objective standard
- Final rule modifying the HIPAA Privacy Rule as required by GINA
February 7, 2013
Noon – 1 p.m.
RSVP to email@example.com.
Business Associates: You’re on notice.
When the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted nearly four years ago, business associates were aware that HIPAA compliance was going to be required of them – they were just not sure of the extent. Historically, business associates have been required to comply with HIPAA only insofar as dictated by their contractual relationships with covered entities. HITECH drastically changed this, mandating that certain HIPAA provisions apply directly to business associates.
In addition to specifying these obligations (discussed below), the Final Rule clarified to whom these obligations apply:
- Patient Safety Organizations – the Final Rule adopted the proposal to add patient safety activities to the list of functions and activities a person may undertake on behalf of a covered entity that give rise to a business associate relationship.
- Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; Vendors of Personal Health Records – such entities that provide services with respect to PHI and require access on a routine basis to such PHI are considered business associates. Note that this is consistent with HHS’s prior interpretation, which advises that entities that act as “mere conduits” for transporting PHI, but do not access PHI other than on a random or infrequent basis, are not business associates.
- Subcontractors of Business Associates – downstream entities, i.e. persons to whom a business associate has delegated a function, activity or service that the business associate has agreed to perform for a covered entity or business associate, are now considered business associates. HHS made clear that no matter how far downstream the PHI flows, entities which meet the definition are business associates.
- Exceptions – the final rule carves out from the definition of business associate health care providers with respect to disclosures by a covered entity to the provider concerning the treatment of the individual. This change moves the exception from 164.502(e)(1)(ii), the standard for disclosures to a business associate.
Having clarified who is a business associate, the Final Rule adopted the following key proposed changes relative to business associates:
- Compliance and Enforcement: HITECH provided statutory authority requiring HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil monetary penalty (CMP) for the violation. The Final Rule clarifies that these changes apply to business associates as well as covered entities.
- Civil Monetary Penalty Liability: Consistent with HITECH, business associates now are subject to severe CMPs. The amount of the penalties increase based on the level of culpability, with the most draconian penalties to be levied for violations due to willful neglect. Each violation carries a minimum penalty of $50,000; the maximum is $1,500,000 for identical violations during a calendar year.
- Security Rule Obligations: Just like covered entities, business associates are now required as a matter of law to comply with the entirety of the Security Rule. This includes the administrative, physical, and technical safeguards; organizational requirements (including business associate agreements with subcontractor business associates); and maintaining policies, procedures, and proper documentation of Security Rule compliance. For unsuspecting business associates, these requirements may be particularly onerous, and the September 23, 2013 compliance date may come very quickly – even though HITECH was clear in this regard.
- Privacy Rule Obligations: The business associate Privacy Rule obligations were likely the most uncertain in the four years since HITECH first came on the scene. The Final Rule mandates that the Privacy Rule applies to business associates “where provided.” A few of the most noteworthy provisions:
- Adds a new section specifying required and permitted business associate uses and disclosures of PHI;
- Requires business associates to report breaches of unsecured PHI upstream; and
- Requires business associates to impose business associate regulatory and contractual obligations on subcontractor business associates.
HIPAA business associates who have not been paying attention since HITECH need to take notice. The timeframe for compliance is less than nine months. For those business associates who had been hoping for relief in the Final Rule (or simply have had their head in the sand for four years), waiting is no longer an option.
As we continue to digest the Final Rule, be sure to check in frequently as we anticipate much more to come in the next few weeks.
On January 17, 2013, HHS announced the release of the long-awaited final omnibus HIPAA rule. According to HHS Office for Civil Rights Director Leon Rodriguez, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The final omnibus rule is based on the changes first imposed under the Health Information Technology for Economic and Clinical Health ACT (“HITECH”), enacted as part of the American Recovery and Reinvestment Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (“GINA”).
The final omnibus rule will be effective on March 26, 2013. Covered entities and business associates will have until September 23, 2013 to comply.
The omnibus final rule is comprised of the following four final rules:
1. Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by HITECH, which include:
- Make business associates directly liable for compliance with HIPAA Privacy Rule and Security Rule requirements.
- Strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit sale of PHI without individual authorization.
- Expand individual rights to receive electronic copies of their health information and restrict disclosures to health plans concerning treatment for which an individual has paid out-of-pocket in full.
- Require modifications to and redistribution of a covered entity’s notice of privacy practice.
- Modify individual authorizations and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others.
- Adopt the HITECH enhancements to the Enforcement Rule.
2. Final rule adopting changes to HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty structure provided by HITECH.
3. Final rule on breach notification for unsecured PHI under HITECH, which replaces the breach notification rule’s “harm” threshold with a more objective standard.
4. Final rule modifying the HIPAA Privacy Rule as required by GINA.
The Rulemaking announced today, which will be published in the Federal Register on January 25, 2013, may be pre-viewed in the Federal Register at https://www.federalregister.gov/public-inspection.
We will follow-up this post with a series of blog posts analyzing this final rule.
OCR’s recent enforcement action against a small non-profit hospice organization in Idaho is more evidence that OCR is looking carefully at HIPAA Security Rule compliance. On December 28, 2012, HHS announced that Hospice of Northern Idaho (“HONI”) had agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule. This is the first settlement involving a breach of PHI affecting fewer than 500 individuals, and it sends a strong message to all covered entities that OCR will impose a penalty for HIPAA non-compliance regardless of the size of the breach.
This enforcement action arose out of the theft of an unencrypted laptop containing the protected health information of 441 individuals, including patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, lab results and other treatment information. The laptop was stolen from a HONI employee’s car while it was parked at her home in June 2010.
Because the breach involved fewer than 500 individuals, OCR began its investigation after the hospice reported the breach to HHS at the end of 2010 as required by HITECH.
OCR sanctioned HONI after it discovered the hospice (1) had not conducted a security risk analysis as required by the HIPAA Security Rule; (2) did not have in place any policies or procedures to address mobile device security; and (3) did not implement security measures to address the risk of losing patient health information or maintain a process for managing that risk.
This enforcement action should serve as a warning to all covered entities, big and small, that Security Rule compliance must be a priority. At the very least, all covered entities should consider implementing the following Security Rule measures following the HONI settlement:
- Conduct (or update) an annual security risk analysis, including an evaluation of the potential risks to PHI maintained in and transmitted using portable electronic devices;
- Adopt security measures to ensure confidentiality of PHI created, maintained and transmitted using portable electronic devices;
- Properly encrypt PHI on laptops and other portable devices;
- Continually train employees on encryption and mobile device policies.