HIPAA Omnibus Rule Compliance Checklist

BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211
Lewis Creek Systems, LLC
BridgeFront Welcomes You To:
HIPAA Omnibus Rule Compliance Checklist
Conference Line: (646) 558-2121
Access Code: 903-718-495
With Presenter:
Jim Sheldon-Dean, Director of Compliance Services
If you are experiencing difficulties hearing or seeing this presentation, send an email to
support@bridgefront.com or call 1 (866) 447-2211.

Jim Sheldon-Dean
Today’s Presenter:
HIPAA Omnibus Rule Compliance Checklist

About Jim Sheldon-Dean
 BSCE (Civil Engineering) from UVM, MST (Transportation) from
MIT
 More than three decades in consulting, information systems, and
software development
 Process, problem-solving oriented
 Eight years as Vermont EMT, crew chief
 12 years specializing in HIPAA and health information privacy and
security consulting
 Involved in WEDI, HIMSS, VITL, frequent speaker about HIPAA and
information privacy and security
 See www.lewiscreeksystems.com for more details, resources,
information security compliance news, etc.

Our Time Together
Changes to HIPAA privacy policies and procedures.
New process for deciding on breach report-ability.
Changes to HIPAA business associate relationships.

HITECH Act Updates to HIPAA
• Most of the proposed rules finalized in the big HIPAA
Omnibus Update published January 25, 2013, effective
March 26, 2013, enforceable September 23, 2013
• Omnibus Update Rule, with Preamble, available at:
http://www.gpo.gov/fdsys/pkg/FR-2013-01-
25/pdf/2013-01073.pdf
• New Combined Rules published by HHS OCR, at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/c
ombined/index.html

Poll Question #1
Is your organization ready for the HIPAA
Omnibus compliance deadline?
o Yes
o No
o I Don't Know

What’s New in HIPAA?
• New individual rights for access and requesting restrictions
• New restrictions on disclosures for marketing, sale of PHI;
changes to rules for use of PHI for fundraising
• Notices of Privacy Practices must be updated
• Expansion of rules to Business Associates
• Change in the way to determine whether or not a breach
must be reported
• New restrictions on use of genetic information by health plans
• PHI not protected >50 years after individual’s death
• No changes to Accounting of Disclosures or CLIA, yet…

Designated Record Set
(1) A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals
maintained by or for a covered healthcare provider;
(ii) The enrollment, payment, claims adjudication, and case or
medical management record systems maintained by or for a
health plan; or
(iii) Used, in whole or in part, by or for the covered entity to
make decisions about individuals.

Use vs. Disclosure
• Per 45 C.F.R. §164.103 HIPAA Definitions
• Disclosure: the release, transfer, provision of, access
to, or divulging in any other manner of information
outside the entity holding the information
• As distinct from Use: the sharing, employment,
application, utilization, examination, or analysis of
individually identifiable health information within an
entity that maintains such information

Restriction of Disclosures
HITECH §13405(a):
Individual may request no disclosure to
insurer if paid out of pocket, must
comply
In the HIPAA Omnibus Update, now under
§164.522(a)(1)(vi)

Impact of Restriction of
Disclosures to Insurers
• Must have a policy/procedure/process
• Required in your EHR to meet the law
• Can you flag such encounters?
• What about pass-through effects?
• Issues with aggregated data
• What about contracts with insurers?
• Must be in the Notice of Privacy Practices

Individual Access of PHI
• HIPAA §164.524: Must have a process for individual to
request access, for reasonable cost-based fee
• Must provide the entire record in the Designated Record Set if
requested:
– Medical and billing records used in whole or in part to make decisions
related to health care
– New: Information kept electronically must be available electronically if
requested
– Exceptions for Psychotherapy notes, CLIA, others
– Changes to HIPAA and CLIA proposed to allow access of lab
information by individuals, not finalized yet
• New: 30-day extension for off-site records no longer allowed

Impacts of Individual Access of
EHR Information
• All kinds of electronic info in designated record set,
not just your formal EHR
• Have you performed inventory of PHI?
• Are access procedures in place?
• Who responds to requests for access?
• What are acceptable formats for electronic access?
• What if the patient wants you to send plain e-mail?
• Need to update the Notice of Privacy Practices

Individual Preferences for Communication
• §164.522(b)(1) Standard: Confidential Communications
Requirements
– (i) A covered health care provider must permit individuals to request
and must accommodate reasonable requests by individuals to receive
communications of protected health information from the covered
health care provider by alternative means or at alternative locations.
• §164.524(c) Provision of Access
– (2) Form of access requested. (i) The covered entity must provide the
individual with access to the protected health information in the form
or format requested by the individual, if it is readily producible in such
form or format….
– New (c)(2)(ii): If PHI is electronic, individual may request electronic
copy.

Calculating/Evaluating Risk
• Each Risk Issue has an Impact and Likelihood
– Impact is how great the damage would be; more
information about more people with more detail is greater
– Likelihood is how likely it is that the risk issue would
become a reality
• Risk = Impact x Likelihood
– If risk level appears low, an informed risk decision can be
made by the patient
– Rights can not be given up under HIPAA, but individuals
can make an informed risk decision

Marketing Changes
• Marketing still requires an Authorization
• Treatment and healthcare operations do not require an authorization
(with notice in the HIPAA Notice of Privacy Practices), except:
• Authorizations are required for all treatment and healthcare operations
where the Covered Entity receives financial remuneration from a third
party whose product or service is being marketed
• Exemptions from Authorization Requirement for Face to Face
communication, Refill reminders or other info about a drug or biologic
that is currently prescribed (unless there is remuneration),
Communications promoting health in general and that do not promote a
product or service from a particular provider, and Communications about
government and government-sponsored programs

New Restrictions on Sale of PHI
• HIPAA §164.508(a)(4): If you disclose for
remuneration, you must have an authorization
stating that the disclosure results in
remuneration
• Exceptions for public health, research,
treatment and payment purposes, sale of
practice, transfer to a BA providing services, to
the individual, etc.

Fundraising Changes
• HITECH §13406(b) now effective under HIPAA
§164.514(f)(1): Opportunity to Opt Out of Fundraising
• Demographic information, dates of healthcare services,
department providing services, physician, health plan status,
and outcome can be used for fundraising without
authorization
• Notice of Privacy Practices must state so, may need to modify
• Easy Opt-out must be provided, by campaign or for all
campaigns, must be honored, and can’t be used to condition
treatment or payment

Update Notice of Privacy Practices
• HIPAA Notice of Privacy Practices must reflect
individual rights and controls on uses and disclosures
– New right of access to electronic PHI
– New right of restriction of disclosures
– New right to be notified in the event of a breach
– Changes to Marketing and Fundraising
– GINA notice for health plan NPPs
• Must update policies and NPP together, by deadline
• Start using (and post) new version; no requirement
for providers to redistribute to all patients

Poll Question #2
Has your HIPAA Notice of Privacy
Practices been updated?
o No, not yet
o No, but we’re working on it
o Yes, we’re about to implement it
o Yes, we have already implemented it

Big Changes for Business Associates
• New definition of what is a Business Associate
• New application of rules directly to BAs
• New consideration of how the rules apply to
“cloud” based vendors
• Need to update all Business Associate
Agreements

What is a Business Associate?
• An individual or entity, not acting as an employee, that:
– Creates, receives, maintains, or transmits protected health
information for a function or activity regulated by HIPAA on behalf of a
covered entity (CE) or another BA
– Provides legal, actuarial, accounting, consulting, data aggregation (as
defined in § 164.501 of this subchapter), management,
administrative, accreditation, or financial services and needs PHI to do
it
• Anything a CE or BA could do itself but has someone else do it
for them, involving creation, receipt, maintenance, or
transmission of PHI
• Now includes subcontractors, Patient Safety Organizations,
Health Information Exchanges

What is a Business Associate?
• Includes:
– Billing service
– Shredding service
– Systems vendors who access PHI
• Does not include those who would have no reason to use,
disclose, create, receive, maintain or transmit PHI, such as:
– Tradesmen (plumber, etc.)
– Housekeeping, etc.
• Not Payers, other Providers, or Workforce Members
• Not Conduits (USPS, FedEx, etc.)

Business Associates Now
Directly Regulated by HIPAA
• Security Rule applies
• Breach Notification Rule applies
• Privacy Rule Use and Disclosure provisions apply
• Business Associates responsible for having contracts with
Covered Entities and Subcontractors
• Business Associates liable for compliance and violations
• Contracts signed since January 25, 2013 must meet new
standard by September 23, 2013
• Older, compliant contracts signed before January 25, 2013 and
“evergreen” contracts have until September 23, 2014

Conduits, Persistence of Custody & Clouds
• A narrow BA exception for Conduits – simple delivery only
• Persistence of Custody of PHI creates a BA relationship
• Regular e-mail services have persistent custody of messages
• Are Cloud vendors Business Associates?
• Now under review by HHS (and cloud vendors)
• Principle of Persistence of Custody of PHI may apply in Cloud
• Don’t forget: Security includes Confidentiality, Integrity, and
Availability
• Consider persistence of custody PHI, even if encrypted

Preparing to Update BAAs
• Prioritize by risk, expiration date
• Review for liability and indemnification of breaches
• Include new required elements
– Requirements for BAs and their subcontractors to comply with the
HIPAA Security Rule, & specific sections of the HIPAA Privacy Rule
– New language surrounding breach notification and the securing of PHI
– New disclosure-related requirements for Electronic Health Records
– Removed: Requirement for clause obligating CEs to report
noncompliance by a downstream entity to HHS
• New sample Business Associate Agreement provisions:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/covere
dentities/contractprov.html

Poll Question #3
Do you use any “cloud” vendors for
handling any of your PHI?
o No, we don’t
o Yes, but we don’t treat them as Business
Associates
o Yes, and we have them under a BA
Agreement
o I don't know

One (Big) Change in Breach Notification
• Breach Notification final rule is same
as proposed, with one change
• Significant change to how you decide
if a breach must be reported or not

What is a Breach?
• A Reportable Breach is acquisition, access, use, or disclosure
of unsecured PHI in violation of Privacy Rule; with some
exceptions by law if:
– PHI is destroyed
– Unintentional, in good faith, with no further use (within your
organization)
– Inadvertent and within job scope (within your organization)
– Info cannot be retained
• “Harm Standard” for evaluation of need to report removed
• Not reportable if there is a “low probability of compromise” of
the data, based on a risk assessment

Is It a Reportable Breach?
• All breaches not meeting an exception are reportable
unless there is a “low probability of compromise” of
the data, based on a risk assessment including at
least:
– what was the info, how well identified was it, and is its
release “adverse to the individual”
– to whom it was disclosed
– was it actually acquired or viewed
– the extent of mitigation

Breach Notification Decision Tree Step 1
• Was there acquisition, access, use, or
disclosure of PHI in violation of the Privacy
Rule?
• If No, not a breach, end of process
• If an incident, document the incident fully and
the determination of “not a breach”
• If Yes, Go on to Step 2

• Was the information secured according to HHS
guidance, or destroyed?
• If Yes, not reportable, end of process;
document the incident and determination of
“not a reportable breach”
• If No, may be able to use lower security
encryption in the evaluation of risk later in
Step 5; go on to Step 3

• Was the potential breach internal to your
organization, AND unintentional, in good faith,
with no further use, or inadvertent and within
job scope?
• If Yes, not a breach, end of process, document
the incident and determination of “not a
breach”
• If No, go on to Step 4

• Is there no way the breached information can
be retained?
• If there is no way the PHI was retained, it is
not a breach; end of process, document the
incident and determination of “not a breach”
• If the breached information may be retained
in some way, go on to Step 5

• If you’ve gotten here, you have a breach, and now
the only way to keep from having to report it is to do
a risk assessment to see if there is a “low probability
of compromise”
• If there is a low probability of compromise, it is not
reportable, end of process, document incident and
determination of “not a reportable breach”
• If NOT a low probability of compromise, MUST report

Breach Notification Risk Assessment
• Not reportable if there is a “low probability of
compromise” of the data, based on a risk
assessment including at least:
– what was the info and how well identified was it
(and is its release “adverse to the individual”)
– to whom it was disclosed
– was it actually acquired or viewed
– the extent of mitigation

Factor 1: Extent and nature of PHI
• Evaluate the nature and extent of the PHI
Involved including the types of identifiers and
the likelihood of re-identification – Consider:
– Financial and clinical sensitivity of the information
– Are direct or indirect identifiers are included
– Can the information be linked for re-identification
– Does the person receiving the PHI have the ability
to re-identify the PHI

Factor 2: Who Received the PHI
• Evaluate the nature of the unauthorized
person who used the PHI or to whom the
disclosure was made – Consider:
– Does the person have obligations to protect the
privacy and security of the PHI
– Is the identity of the unauthorized person known
– What is the likelihood that the information would
be used by an unauthorized recipient to adversely
affect individuals or for personal gain

Factor 3: Was the PHI Viewed
• Evaluate whether the PHI Involved was
actually acquired or viewed – Consider:
– Was there opportunity to acquire or view the PHI
– Was the potential breach discovered and
prevented before PHI was viewed or acquired
– What information are you relying on?

Factor 4: Was It Mitigated
• Evaluate the extent to which the risk to the
PHI has been mitigated – Consider:
– Were satisfactory assurances obtained that PHI
will not be further used or disclosed
– The person providing satisfactory assurances
– Are the satisfactory assurances written

Notification Determination Process
Summary
1. Was there acquisition, access, use, or
disclosure in violation of the Privacy Rule?
2. Was it secured?
3. Does it qualify for one of the internal
exceptions?
4. Is the information un-retainable?
5. Is there a low probability of compromise per
a risk assessment?

Poll Question #4
Do you have a breach notification
policy and procedure in place?
o Yes, and we have used it
o Yes, but we haven't had to try it yet
o I think we have some informal policy
somewhere
o Yes, but it's not adequate
o No

Statistics on HIPAA Breach Notification
• For reported breaches of 500 or more individuals’ PHI in the
first year of the reporting requirement:
– 76% of breaches involve loss (15%), theft (56%), or improper disposal
(5%) – Old-fashioned physical security of valuable data
– 17% are caused by unauthorized access or disclosure
– 6% are caused by hacking
• Portable data, laptops, smart phones, memory sticks the
leaders for breaches of PHI
• HHS Wall of Shame for large breaches:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breach
notificationrule/breachtool.html

Most Frequent HIPAA Security Issues,
per HHS OCR
• Lack of Incident Response and Reporting Process
• Lack of Security Awareness and Training
• Poor Technical Access Control
• Poor Administrative Information Access
Management
• Poor Physical Workstation Security
Source: Presentation by OCR at NIST/OCR HIPAA Security Conference, May 11, 2011

Lessons Learned From PHI Breaches
• Have physical safeguards for areas where paper records are
stored or used
• Reduce risk through network or enterprise storage as
alternative to local devices
• Encrypt data at rest on any desktop or portable device/media
storing ePHI
• Have clear and well documented administrative and physical
safeguards on the storage devices and removable media
which handle ePHI
• Raise the security awareness of workforce members and
managers to promote good data stewardship

New Enforcement Definitions
• Reasonable Cause: An act or omission in which a covered entity
or business associate knew, or by exercising reasonable diligence
would have known, that the act or omission violated an
administrative simplification provision, but in which the covered
entity or business associate did not act with willful neglect
• Reasonable Diligence: Business care and prudence expected
from a person seeking to satisfy a legal requirement under similar
circumstances
• Willful Neglect: Conscious, intentional failure or reckless
indifference to the obligation to comply with the administrative
simplification provision violated

Tiered Penalty Structure
• HIPAA Privacy Rule §160.404 – Penalty Amounts
• Tier 1: Did not know and, with reasonable diligence, would not have
known – $100 - $50,000 per violation
• Tier 2: Violation due to reasonable cause and not willful neglect –
$1000 - $50,000 per violation
• Tier 3: Violation due to willful neglect and corrected within 30 days of
when known or should have been known with reasonable diligence –
$10,000 - $50,000 per violation
• Tier 4: Violation due to willful neglect and NOT corrected within 30 days
of when known or should have been known with reasonable diligence –
$50,000 per violation
• $1.5 million maximum for all violations of a similar type in a calendar year

HHS is Serious about Enforcement
• $4.3 million fine for Cignet Health of Maryland for multiple violations
• $1 million settlement with Mass General Hospital
• $865K+ settlement with UCLA Medical Center for snooping in records
• Multiple multi-million dollar settlements with pharmacies
• $100K settlement with a physician’s office for Security Rule violations
• $1.5 million settlement with BC/BS of Tennessee for lost hard drives
• $1.7 million settlement with Alaska Medicaid for lack of security process
• $1.5 million settlement with MEEI for lack of security for portable devices
• $500K settlement with Hospice of North Idaho for insecure laptop
• $400K settlement with Idaho State University for insecure server, process
• $275K settlement with Shasta Regional Med Center for inappropriate
disclosure of PHI and lack of sanctions for violations
• $1.7 million settlement with WellPoint for insecure server, no process
• $1.2 million settlement with Affinity Health for insecure disposal of
copiers

Your To-Do List…
 Don’t be in denial – willful neglect will cost you
 Prepare for new individual rights
 Find and prioritize (by risk) BA agreements
 Make sure EHR vendors can meet restriction requirements
and provide electronic copies
 Update your Breach Notification evaluation process
 Review your policies and procedures per the rules
 Document, document, document!
 Conduct drills in audit and breach response
 Make corrections based on results
 Always have a plan for moving forward, and follow it!

Please let me know if you
have any questions! I’m
always happy to help.
Jim Sheldon-Dean
jim@lewiscreeksystems.com
www.lewiscreeksystems.com
802-425-3839
Thank You!

HIPAA Omnibus Rule Compliance Checklist

Recommandé

Recommandé

Contenu connexe

Similaire à HIPAA Omnibus Rule Compliance Checklist

Similaire à HIPAA Omnibus Rule Compliance Checklist (20)

Dernier

Dernier (20)

HIPAA Omnibus Rule Compliance Checklist