Introduction to HIPAA HITECH and Risks Associated With

Introduction to HIPAA HITECH and Risks Associated With PHI and/or PI April 25, 2013 William Ewy, CIPP/US Privacy and Security Practice Manager e. Place Solutions, Inc. Provider of No. Data. Breach. com Risk Management Service 1

No. Data. Breach. com • Included with Cyber Insurance Policy • Cyber Risk Management Service – Online Materials – Webinars – Materials Distributed via Email – Phone and Email Support 2

Threat and Costs of Data Breaches and ID Theft • Damage to individuals – ID theft, loss of privacy • Costs for organizations – Forensic investigations to determine cause and extent – Fines, penalties and potential legal costs – Preparing and distributing breach notification letters, call center to answer victim questions – Credit monitoring for victims – Damage to reputation/loss of customer confidence 3

Example HHS Settlements • Phoenix Cardiac Surgery (5 physician practice) – Reported to OCR for posting clinical and surgical appointments on Internet-based calendar – OCR found PCS had few policies and procedures to comply with the HIPAA Privacy and Security – Fined $100, 000, required to implement follow-up plan • Hospice of North Idaho – OCR investigation began after HONI reported theft of unencrypted laptop – 1 st settlement involving less than 500 individuals – Fined $50, 000 4

From HHS “Wall of Shame” http: //www. hhs. gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches. html 5

Attorneys General Beginning to Use HIPAA Enforcement Authority • Accretive Health, Inc. sued by Minnesota AG • South Shore Hospital sued by Massachusetts AG 6

Agenda • HIPAA in the Past and as We Know It “Today” • What’s Changing and When – Business Associates/Business Associate Agreements – Data Breach Notification Requirements – Notice of Privacy Practices – Enforcement • What to Do Now • Overview/Demo of No. Data. Breach. com 7

Disclaimer William Ewy is not providing legal advice during today’s presentation. Mr. Ewy and e. Place Solutions provide certain risk management services known as “No. Data. Breach” to Beazley’s Breach Response insurance policyholders and does not provide legal advice. If you have legal questions, you should obtain legal advice from qualified legal counsel. 8

What is HIPAA and HITECH • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 – The Privacy Rule applies to Protected Health Information (PHI) in any form (e. g. electronic, paper, oral, etc. ) – The Security Rule applies to PHI in electronic form and requires specific Administrative, Physical and Technical safeguards • The Health Information Technology for Economic and Clinical Health Act (HITECH) made several amendments to HIPAA 9

Organizations Subject to HIPAA • Covered Entities (CEs) – Health plans (health insurance plans) – Healthcare clearinghouses - e. g. a billing service (non-standard to standard format, or vice versa) – Healthcare providers that conduct standard electronic transactions covered by HIPAA (listed on next page) • Business Associates (BAs) – now a person who “creates, receives, maintains, or transmits” PHI on behalf of a CE” 10

Electronic Transactions Covered by HIPAA • • • Healthcare claims or encounter information Healthcare payment of remittance advice Coordination of benefits Healthcare claims status Enrollment or disenrollment in a health plan Eligibility for a health plan Health Plan premium payments Referral certification and authorization First report of injury Health claims attachments Any other transaction prescribed by the Secretary of HHS 11

Examples of Covered Entities Health Care Providers • Doctors • Clinics • Psychologists • Dentists • Chiropractors • Nursing Homes • Pharmacies Health Plans • Health insurance companies • HMOs • Company health plans • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs 12

Today’s HIPAA Landscape HITECH/ARRA, since 2009, included • Breach notification • Business associate liability • Enforcement penalties • Attorneys General authority to enforce 13

Today’s HIPAA Landscape • Interim Rules (“interim”=effective but subject to change via final rule) - 2009 – Breach notification – Enforcement penalties • Proposed Rule (not effective until final rule) – July 2010 – HITECH implementation, including BA and BAA agreement modifications 14

Changing HIPAA Landscape: New HIPAA/HITECH Regulations • Omnibus HIPAA Final Rule, published Jan 25, 2013 • Topics addressed include: – Breach notification – Business associate liability – Business associate agreements – Enforcement – Many other HIPAA compliance issues, including permissibility of using/disclosing PHI for marketing and fundraising communications, individual’s right of access to electronic PHI, and other issues 15

New HIPAA/HITECH Regulations • Effective date: Mar 26, 2013 - (except as otherwise provided) • Compliance date: Sep 23, 2013 16

New HIPAA/HITECH Regulations: Business Associates • HITECH made BAs subject to Security Rule and certain Privacy Rule provisions • New regs implement HITECH requirements • BA definition amended to add – Patient Safety Organizations, – Health Information Organizations/data transmission entities, – Vendors who provide Personal Health Records on behalf of covered entities, and – Subcontractors 17

Business Associates: Subcontractors • Subcontractors to BAs subject to HIPAA • Agreement is required between BA and subcontractor that contains all required BAA provisions • “No matter how far ‘down the chain’ the information flows” 18

Business Associate Liability • Business Associates and their subcontractors are now directly liable for violations of Security Rule and for uses and disclosures of PHI in violation of Privacy Rule • Business Associates must – Keep and disclose records as required by HHS; cooperate with HIPAA compliance investigations – Disclose PHI as needed by a CE to fulfill requirement to provide electronic copy of PHI – Notify CE of a breach of unsecured PHI – Adhere to “minimum necessary” uses and disclosures of PHI – Provide an accounting of disclosures – Enter into agreements with subcontractors that comply with Privacy and Security Rules 19

Business Associate Agreements • New required provisions (additive); Business Associate agreement must – Require BA to comply with Security Rule – Require BA to report breaches to CE – If delegated activity, require BA to comply with Privacy Rule – If BA subcontracts, require BA to have a contract with subcontractor that complies with BAA provisions • Transition provisions – Existing BAAs may continue to operate for a one-year period after compliance date, provided that • Existing BAA currently complies with all BAA requirements, and • Existing BAA does not renew prior to compliance date 20

BAA Transition Period Detail (e) Implementation specification: Deemed compliance. (1) Qualification. Notwithstanding other sections of this part, a covered entity, or business associate with respect to a subcontractor, is deemed to be in compliance with the documentation and contract requirements of §§ 164. 308(b), 164. 314(a), 164. 502(e), and 164. 504(e), with respect to a particular business associate relationship, for the time period set forth in paragraph (e)(2) of this section, if: (i) Prior to January 25, 2013, such covered entity, or business associate with respect to a subcontractor, has entered into and is operating pursuant to a written contract or other written arrangement with the business associate that complies with the applicable provisions of §§ 164. 314(a) or 164. 504(e) that were in effect on such date; and (ii) The contract or other arrangement is not renewed or modified from March 26, 2013, until September 23, 2013. (2) Limited deemed compliance period. A prior contract or other arrangement that meets the qualification requirements in paragraph (e) of this section shall be deemed compliant until the earlier of: (i) The date such contract or other arrangement is renewed or modified on or after September 23, 2013; or (ii) September 22, 2014. 21

Business Associates: What to Do Now • Inventory Business Associate Agreements for current compliance • Create template (1) amendments for existing BAs and (2) BA agreement going forward. • Determine which BAAs must be amended/replaced prior to 9/23/2012 • Map out amendment/replacement strategy • Communicate with Business Associates; set expectations for: – BAA amendment/replacement process – Subcontractor identification and BA action plan • Set realistic timeline 22

New HIPAA/HITECH Regulations: Breach Notification • Unchanged requirements, including – Notification if breach of unsecured PHI/EPHI – Notice to affected individuals within 60 days of discovery – Notice content requirements – Notice to OCR immediately if breach affects 500 or more individuals and annually if less than 500 – Notice to the media if 500 or more affected 23

Current Definition of Breach • HITECH defined “breach” – Acquisition, access, use or disclosure of PHI in a manner not permitted by Privacy Rule which compromises the security or privacy of the PHI • Interim final rule defined “compromise” – Poses a significant risk of financial, reputational or other harm • CEs and BAs have been applying this standard in performing analyses 24

New HIPAA/HITECH Regulations: Presumption/new “Compromise” Standard • An acquisition, access, use or disclosure of PHI in a manner not permitted is presumed to be a breach • Unless the CE or BA can demonstrate (via documentation) that there is a low probability that the PHI has been compromised 25

New HIPAA/HITECH Regulations: Probability of “Compromise” Factors that must be weighed in assessing probability of compromise 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Was the PHI actually acquired or viewed, and 4. Has the risk to the PHI been mitigated 26

Data Breach Changes: What to do Now • • Update incident response plan Revise breach analysis template Update policies and procedures* Train workforce on new requirements* *Factor in other new HIPAA requirements 27

Notice of Privacy Practices The Final Rule requires several new provisions • NPPs must state that the following require an individual’s prior authorization: (1) most uses and disclosures of psychotherapy notes (if the CE maintains psychotherapy notes); (2) uses and disclosures of PHI for marketing purposes; and (3) disclosures of PHI that constitute a “sale. ” • If a CE contacts individuals for fundraising purposes, its NPP must notify individuals that they have a right to opt out of such communications • NPPs must inform individuals of their right to restrict certain disclosures of PHI to health plans when the individual has paid in full • NPPs must tell individuals of their right to receive a notification if there is a breach of their unsecured PHI • For health plans, assurances that the plan will not use or disclose genetic information for underwriting purposes 28

Enforcement Provisions Adopted and Clarified Regulations adopt HITECH increased penalty structure: – – Did not know: $100 -$50, 000 per violation Reasonable cause: $1, 000 -$50, 000 per violation Willful neglect* if corrected: $10, 000 -$50, 000 per violation Willful neglect if uncorrected: $50, 000 per violations – $1, 500, 000 maximum for all violations of an identical provision per year *Conscious, intentional failure or reckless indifference to a compliance obligation 29

Enforcement Provisions: New Clarifications • Factors government must now consider when determining penalties – Nature and extent of violation, now includes number of affected individuals – Nature and extent of harm resulting, now includes reputational harm – History of compliance, now includes indications of noncompliance (vs. formal findings of violations) – Financial condition of the organization • If willful neglect, HHS – Is required to investigate – Must conduct a compliance review – May (but probably won’t) resolve informally 30

No. Data. Breach. com Overview of Services 31

The Service Focus • Providing updated, timely, relevant information to help organizations prevent data breaches • US Federal and State Laws and Regulations • Practical guidance The information can be accessed/used as you see fit, for non-commercial purposes, within your insured organization 32

Scope of Services (1) Step-by-Step Procedures to Lower Risk • Understand the scope of “personal information” (“PI”) • Determine where PI is stored • Collect/retain the minimum amount of PI required for business needs • Destroy PI when no longer needed • Risk assessment guidance • Develop and implement an Incident Response Plan On-line Compliance Materials • Federal and state compliance materials • Summaries of federal and state laws • Sample policies & procedures • Continuing updates and electronic notification of significant changes 33

Scope of Services (2) Periodic Newsletter & “Privacy Posts” • Sent by email • Significant changes in federal and state laws/regulations • Breach and data security news Privacy Alerts for events requiring immediate attention Data Security Tips Phone/E-mail Support Consultants & attorneys answer questions, including: • Health care & HIPAA compliance issues • Data breach prevention issues • Data Security best practices • Computer forensic issues 34

Scope of Services (3) Training Modules Handling Data Breaches • On-line training material Guidance provided to: • Respond to a data breach – Specific, to-the-point • Awareness bulletins & posters • Webinars – for privacy compliance and IT staff 35

Policyholder Feedback “With your outreach this week, I’m truly appreciating the value of our membership with No Data Breach. “I don’t feel like I’m going it alone and will be surfing your website more frequently!” 36

Site Walkthrough 37

In Summary, the Service Provides… Unlimited non-commercial access to information to help prevent data breaches • Updates via email – Newsletters, Privacy Posts • Webinars • Phone/E-mail support (questions) • Online resources 38

Questions? 39