Please join us this Tuesday, March 19, 2013 for a complimentary webinar to further discuss the release of the Final Omnibus HIPAA Rule by the U.S. Department of Health and Human Services. This is the first in a three-part miniseries following last month’s webinar, where we focused generally on the sweeping changes to the HIPAA Privacy and Security Rules.
On Tuesday from noon until 12:30, we will explore the changes to the Privacy Rule, including:
- Greater restrictions on provider use and disclosure of PHI;
- Increased individual rights to PHI; and
- What must be done by September.
The webinar will probe into marketing and fundraising involving PHI, how providers can best respond to patients’ requests for their health information, and how your organization should address these changes both internally (via employee training and updating policies and procedures) and externally (by revising the notice of privacy practices).
To RSVP, or for more information, contact Kayla Allen at firstname.lastname@example.org.
Much has been made about business associates in HITECH and the HIPAA Final Omnibus Rule. In a previous post and in our webinar we hit on the high points – that much of HIPAA applies directly to business associates, and that business associates themselves have obligations relative to their business associates. Indeed, not only do “traditional” business associates have increased compliance obligations, but so do their vendors – many of whom might be entirely unaware of this fast-moving train barreling down the tracks.
With compliance deadlines around the corner, providers are likely wondering what this means for them. Most are quite familiar with the HIPAA requirement that they have a business associate agreement (“BAA”) in place with their business associates. For many, this has historically been nothing more than a low-priority fomality. Now, they must ensure that these agreements adequately address downstream compliance obligations, in particular those related to an unauthorized access, use, or disclosure of PHI. More fundamentally, providers will need to be more vigilant in identifying their business associates. And, due to increased enforcement, providers may wish to shepherd their business associates as they strive to become compliant with HIPAA, and even consider periodically auditing these vendors for HIPAA compliance. As part of this process, which will be discussed in greater detail below, we suggest that providers consider educating their business associates on identifying subcontractors and making these vendors aware of their own HIPAA compliance obligations. Continue Reading
As we mentioned in last week’s Webinar on the HIPAA Final Omnibus Rule, there are less than nine short months for covered entities and their business associates (and all downstream business associates) to comply with the HIPAA final rules. For those entities that have already taken steps following the release of the HITECH interim rules, the task may be a little less daunting (although policies, procedures, and NPPs must also be updated following release of the final rule), but for covered entities and business associates that have taken a “wait and see” approach to the final rule, the compliance clock is now running. September 23, 2013 is just 219 days away.
Here is a list of the key issues that every covered entity and business associate must address before September 23, 2013:
- Perform or update a Security Rule risk assessment to identify the potential risks and vulnerabilities of electronic PHI (a similar gap analysis should be performed to identify the risks and vulnerabilities of all PHI, i.e. paper files, x-rays, etc.). This is a foundational requirement that is the basis for implementing safeguards and policies that comply with the HIPAA Security and Privacy Rules.
- Encrypt, encrypt, encrypt.
- Develop or update HIPAA policies and procedures, including policies and procedures that address mobile devices and social media.
- Update and distribute Notice of Privacy Practices to reflect the provisions in the final Omnibus HIPAA rule.
- Review and update all business associate agreements to include and/or clarify breach notification provisions, indemnification obligations, and cyber-insurance requirements.
- Business associates must enter into business associate agreements with their downstream vendors who handle PHI. Covered entities, when contracting with their business associates, should review their business associates’ downstream vendor business associate agreements as part of their own due diligence.
- Develop or update breach response plan to include Final Rule’s new objective test for determining whether you have a reportable breach.
- Ensure that all employees are trained regularly to comply with your HIPAA policies and procedures. Consistently discipline employees who violate HIPAA policies and procedures.
- Consider procuring data breach/cyber insurance to cover the costs of a breach (which could include the following costs: investigation — including a forensic analysis, mitigation, notification, legal, PR, credit monitoring, fines and penalties).
We will begin a series of blog posts next week which will further analyze each of the changes in the Final Omnibus HIPAA Rule.
Presented by Vorys, Sater, Seymour and Pease LLP
On Thursday, Feb. 7, at noon, HealtHITech Law bloggers Lisa Reisz and Liam Gruzs will host a webinar discussing the release of the long-awaited final omnibus HIPAA rule by the U.S. Department of Health and Human Services. The new rule includes sweeping changes to the HIPAA Privacy and Security Rules.
The omnibus final rule is comprised of the following four final rules:
- Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by HITECH
- Final rule adopting changes to HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty structure provided by HITECH
- Final rule on breach notification for unsecured PHI under HITECH, which replaces the breach notification rule’s “harm” threshold with a more objective standard
- Final rule modifying the HIPAA Privacy Rule as required by GINA
February 7, 2013
Noon – 1 p.m.
RSVP to email@example.com.
Business Associates: You’re on notice.
When the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted nearly four years ago, business associates were aware that HIPAA compliance was going to be required of them – they were just not sure of the extent. Historically, business associates have been required to comply with HIPAA only insofar as dictated by their contractual relationships with covered entities. HITECH drastically changed this, mandating that certain HIPAA provisions apply directly to business associates.
In addition to specifying these obligations (discussed below), the Final Rule clarified to whom these obligations apply:
- Patient Safety Organizations – the Final Rule adopted the proposal to add patient safety activities to the list of functions and activities a person may undertake on behalf of a covered entity that give rise to a business associate relationship.
- Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; Vendors of Personal Health Records – such entities that provide services with respect to PHI and require access on a routine basis to such PHI are considered business associates. Note that this is consistent with HHS’s prior interpretation, which advises that entities that act as “mere conduits” for transporting PHI, but do not access PHI other than on a random or infrequent basis, are not business associates.
- Subcontractors of Business Associates – downstream entities, i.e. persons to whom a business associate has delegated a function, activity or service that the business associate has agreed to perform for a covered entity or business associate, are now considered business associates. HHS made clear that no matter how far downstream the PHI flows, entities which meet the definition are business associates.
- Exceptions – the final rule carves out from the definition of business associate health care providers with respect to disclosures by a covered entity to the provider concerning the treatment of the individual. This change moves the exception from 164.502(e)(1)(ii), the standard for disclosures to a business associate.
Having clarified who is a business associate, the Final Rule adopted the following key proposed changes relative to business associates:
- Compliance and Enforcement: HITECH provided statutory authority requiring HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil monetary penalty (CMP) for the violation. The Final Rule clarifies that these changes apply to business associates as well as covered entities.
- Civil Monetary Penalty Liability: Consistent with HITECH, business associates now are subject to severe CMPs. The amount of the penalties increase based on the level of culpability, with the most draconian penalties to be levied for violations due to willful neglect. Each violation carries a minimum penalty of $50,000; the maximum is $1,500,000 for identical violations during a calendar year.
- Security Rule Obligations: Just like covered entities, business associates are now required as a matter of law to comply with the entirety of the Security Rule. This includes the administrative, physical, and technical safeguards; organizational requirements (including business associate agreements with subcontractor business associates); and maintaining policies, procedures, and proper documentation of Security Rule compliance. For unsuspecting business associates, these requirements may be particularly onerous, and the September 23, 2013 compliance date may come very quickly – even though HITECH was clear in this regard.
- Privacy Rule Obligations: The business associate Privacy Rule obligations were likely the most uncertain in the four years since HITECH first came on the scene. The Final Rule mandates that the Privacy Rule applies to business associates “where provided.” A few of the most noteworthy provisions:
- Adds a new section specifying required and permitted business associate uses and disclosures of PHI;
- Requires business associates to report breaches of unsecured PHI upstream; and
- Requires business associates to impose business associate regulatory and contractual obligations on subcontractor business associates.
HIPAA business associates who have not been paying attention since HITECH need to take notice. The timeframe for compliance is less than nine months. For those business associates who had been hoping for relief in the Final Rule (or simply have had their head in the sand for four years), waiting is no longer an option.
As we continue to digest the Final Rule, be sure to check in frequently as we anticipate much more to come in the next few weeks.
On January 17, 2013, HHS announced the release of the long-awaited final omnibus HIPAA rule. According to HHS Office for Civil Rights Director Leon Rodriguez, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The final omnibus rule is based on the changes first imposed under the Health Information Technology for Economic and Clinical Health ACT (“HITECH”), enacted as part of the American Recovery and Reinvestment Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (“GINA”).
The final omnibus rule will be effective on March 26, 2013. Covered entities and business associates will have until September 23, 2013 to comply.
The omnibus final rule is comprised of the following four final rules:
1. Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by HITECH, which include:
- Make business associates directly liable for compliance with HIPAA Privacy Rule and Security Rule requirements.
- Strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit sale of PHI without individual authorization.
- Expand individual rights to receive electronic copies of their health information and restrict disclosures to health plans concerning treatment for which an individual has paid out-of-pocket in full.
- Require modifications to and redistribution of a covered entity’s notice of privacy practice.
- Modify individual authorizations and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others.
- Adopt the HITECH enhancements to the Enforcement Rule.
2. Final rule adopting changes to HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty structure provided by HITECH.
3. Final rule on breach notification for unsecured PHI under HITECH, which replaces the breach notification rule’s “harm” threshold with a more objective standard.
4. Final rule modifying the HIPAA Privacy Rule as required by GINA.
The Rulemaking announced today, which will be published in the Federal Register on January 25, 2013, may be pre-viewed in the Federal Register at https://www.federalregister.gov/public-inspection.
We will follow-up this post with a series of blog posts analyzing this final rule.
OCR’s recent enforcement action against a small non-profit hospice organization in Idaho is more evidence that OCR is looking carefully at HIPAA Security Rule compliance. On December 28, 2012, HHS announced that Hospice of Northern Idaho (“HONI”) had agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule. This is the first settlement involving a breach of PHI affecting fewer than 500 individuals, and it sends a strong message to all covered entities that OCR will impose a penalty for HIPAA non-compliance regardless of the size of the breach.
This enforcement action arose out of the theft of an unencrypted laptop containing the protected health information of 441 individuals, including patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, lab results and other treatment information. The laptop was stolen from a HONI employee’s car while it was parked at her home in June 2010.
Because the breach involved fewer than 500 individuals, OCR began its investigation after the hospice reported the breach to HHS at the end of 2010 as required by HITECH.
OCR sanctioned HONI after it discovered the hospice (1) had not conducted a security risk analysis as required by the HIPAA Security Rule; (2) did not have in place any policies or procedures to address mobile device security; and (3) did not implement security measures to address the risk of losing patient health information or maintain a process for managing that risk.
This enforcement action should serve as a warning to all covered entities, big and small, that Security Rule compliance must be a priority. At the very least, all covered entities should consider implementing the following Security Rule measures following the HONI settlement:
- Conduct (or update) an annual security risk analysis, including an evaluation of the potential risks to PHI maintained in and transmitted using portable electronic devices;
- Adopt security measures to ensure confidentiality of PHI created, maintained and transmitted using portable electronic devices;
- Properly encrypt PHI on laptops and other portable devices;
- Continually train employees on encryption and mobile device policies.
The Office of the National Coordinator for Health Information Technology (“ONC”) has released a Request for Comments on a preliminary set of recommendations for Stage 3 of the Meaningful Use requirements, which are slated to go into effect in 2016.
With its focus on improved outcomes, ONC envisions Stage 3 requirements as encouraging “a collaborative model of care with shared responsibility and accountability.” These recommendations reflect a transition from “a setting-specific focus to a collaborate, patient- and family- centric approach.” This emphasis on improved outcomes builds on the goals of Stage 1 (data capturing and sharing) and Stage 2 (advance clinical processes).
Many of the Stage 3 recommendations reflect those seen in Stage 2, but require increased adoption in order for the provider to demonstrate Meaningful Use. In addition, the recommendations would retire certain measures that have “topped out” because Stage 2 required eligible professionals and hospitals to adopt them at an 80% threshold. For example, the Stage 2 requirement that eligible professionals and hospitals record the smoking status of more than 80% of patients age 13 years or older would no longer be necessary. The recommendations also include certain new objectives, such as enabling patients to add to or amend their medical records electronically, as well as requiring the provider to send electronic notification of a significant healthcare event, such as a patient’s arrival at an emergency department or admission or discharge from the hospital, to key members of that patient’s care team.
ONC is soliciting comments on these recommendations through January 14, 2013. The committee that developed the recommendations will analyze the feedback it receives and plans to revisit the recommendations in its public meetings in the first quarter of 2013.
The costs of HIPAA breaches are well-documented. Thefts of laptops containing sensitive health information of patients impose significant costs on providers and their business associates, ranging from preliminary investigations to mail notification of all patients impacted, to say nothing of the reputational harm inflicted by the mandatory self-reporting to CMS’s public wall of shame. If these costs were not enough, savvy plaintiff attorneys are finding ways to frame class actions based on these breaches, which, if successful, will add significant additional costs on top of these already severe regulatory penalties.
In a previous post, we addressed a consumer class action in which the Oregon Supreme Court held that the alleged harm – a risk of future identity theft – was not sufficient to provide a basis for a cause of action. In a recent decision in the Eleventh Circuit Court of Appeals, Resnick v. AvMed, the court reversed the district court’s dismissal, finding that the putative class alleged a cognizable injury sufficient for standing and to support their state law claims for recovery for losses suffered from identity theft following a data breach.
The facts of Resnick should sound familiar. A HIPAA covered entity had two laptops stolen from its Florida office. The laptops contained PHI, as well as social security numbers, and other personal information, of 1.2 million of its members. Nearly a year after the theft, the named plaintiffs alleged they had become victims of identity theft – bank accounts were opened, addresses were changed, credit cards were opened, and purchases were made. Naturally, they attributed their identity thefts to the laptop thefts.
The district court dismissed the complaint, finding that it failed to allege a cognizable injury. The Eleventh Circuit reversed, finding plaintiffs’ allegations of actual identity theft resulting from a data breach to be sufficient to constitute injury in fact. The court found a plausible, logical nexus between the data breach and the identity thefts. Plaintiffs alleged that they had not had their identities stolen or their sensitive information compromised prior to the laptop theft. They stated that they took considerable precautions with their own information, such as not transmitting unencrypted sensitive information over the internet. According to the Court, based on these facts, the allegations moved “from the realm of the possible into the plausible.”
To be sure, the defendant could have been more protective of its PHI to prevent the breach in the first place. The data could have been more secure, and the facility security probably could have been more robust. The Resnick decision did not address whether the defendant notified the plaintiffs, or took any remedial measures, such as attempting to locate the stolen information, or purchasing identity theft protection. Nevertheless, Resnick is particularly troubling for HIPAA covered entities and business associates because of the potential unanticipated costs which may come to light months or even years after the initial breach if the response to the breach is not handled properly. Although the upfront costs of a breach may be significant, these investments may prevent, or at least limit, future exposure if the breached information finds its way into the wrong hands.
The Centers for Medicare and Medicaid Services (“CMS”) Medicare and Medicaid EHR Incentive Programs Stage 2 final rule (“Final Rule”) made two key changes which should benefit providers seeking Medicaid incentive payments: (1) allowing more patient encounters to be included in satisfying the required patient volume threshold for eligible professionals; and (2) simplifying hospital reporting of discharges. This post is the third in our multi-part series exploring various issues related to the Final Rule. In case you missed them, here is our first, and here is our second.