500 Attorneys 21 Offices © 2009 Cozen O’Connor. All Rights Reserved. Katherine M. Layman...

500 Attorneys • 21 Offices • www.cozen.com© 2009 Cozen O’Connor. All Rights Reserved.

Katherine M. LaymanSalvatore G. Rotella, Jr.

SAFEGUARDING ACCESS TO HEALTH INFORMATION AND

MEDICAL IDENTITY

January 28, 2010

Presented by:


Katherine M. LaymanCozen O’Connor

1900 Market StreetPhiladelphia, PA 19103

(215) 665-2746(215) 701-2446 (fax)[email protected]

HIPAA and Health Information Technology (HIT)

Provisions in the American Recovery and

Reinvestment Act of 2009 (ARRA)

Presented by:

© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com3

GENERAL OVERVIEW OF HITECH

• Title XIII of Division A of the ARRA includes the provisions pertaining to HITECH (the Health Information Technology for Economic and Clinical Health Act)

• Creation of a Nationwide HIT infrastructure

• Goal of Certified Electronic Health Records (EHRs) for Every Person in the U.S. by 2014


• Significant Revisions to HIPAA Privacy and Security Rules

• Increased Enforcement of and Penalties for HIPAA Violations

• $17 Billion in Incentive Payments for the Adoption of EHRs (Title IV of Division B of the ARRA)

GENERAL OVERVIEW OF HITECH


CHANGES IN BUSINESS ASSOCIATE RULES


EXISTING LAW

• Business associates (BAs) not directly subject to HIPAA

• BA contract created a “back door” way to protect PHI in hands of BAs


BASIC RULE

• Business Associate relationship:– a Covered Entity engages another person or

entity

– to perform a function on behalf of the Covered Entity

– which requires disclosure of PHI by the Covered Entity to the Business Associate

– or creation of new PHI by the Business Associate


BASIC RULE

• Also applies when specified services are provided to a Covered Entity, not “on behalf of” the Covered Entity, but which the Covered Entity must obtain to exist as a business, i.e. legal, accounting, etc.

• Members of the workforce, e.g. employees, volunteers, & trainees are not Business Associates


BUSINESS ASSOCIATE CONTRACTS

Current Rule• Covered entities must have a contract with

each Business Associate to receive satisfactory assurances that the BA will appropriate safeguard the PHI

• Required to take reasonable steps to cure a breach or terminate the contract, if Covered Entity knows of a material violation

• If termination is not feasible, violations must be reported to HHS


PRIVACY RULE CHANGESFeb. 17, 2010

• BAs will be more directly subject to the requirements of the Privacy and Security Rules

• Enforcement by DHHS or state Attorneys General can be directly against BAs– BAs subject to same civil and criminal penalties

as covered entities

• Breach notification obligation


PRIVACY RULE

• Conference Agreement. ARRA applies the Privacy Rule, as well as the new privacy requirements and enforcement penalties, to BAs in the same manner as they apply to providers and health plans for whom they are working.

• Statutory language. The BA may use or disclose PHI only if such use or disclosure complies with privacy provisions of of the BA Agreement.


PRIVACY RULE – POST HITECH

• BAs subject to direct enforcement for failure to comply with HIPAA privacy rule

• At present, there is no requirement for a BA to have a privacy officer, policies and training

• Question: How should BAs demonstrate the steps they have taken to be compliant?


SECURITY RULE - CURRENT RULE

• Covered entities must comply with administrative, physical and technical safeguards (and require BAs to comply as well)– Administrative – assigning or delegating

security responsibilities to employees; training– Physical – protect electronic systems and data

from threats, environmental hazards, and unauthorized access

– Technical – IT functions to protect and control access to data


SECURITY RULE - POST HITECH

• BAs directly subject to administrative, physical and technical safeguards as if they were covered entities

• BAs will have to have a security officer, develop written policies and procedures, document security compliance actions, and train workforce


BREACH NOTIFICATION

• BAs must notify covered entities of security breaches they discover

• BAs responsibility if it knows of a pattern of activity or practice by covered entity that is a breach of BA Agreement– Terminate agreement– Report to HHS if termination not feasible


BUSINESS ASSOCIATE CONTRACTS

• “Additional” requirements of HITECH relating to privacy and security shall be incorporated into BA agreements

• Differing interpretations as to scope of amendments of BA agreements


WHAT TO DO?

• BUSINESS ASSOCIATES– Engage in a HIPAA security compliance process

• Risk analysis and risk management process• Develop policies and procedures

– Evaluate how to implement compliance for privacy obligations

– Revisit BA agreements

– Downstream agreements?


WHAT TO DO?

• COVERED ENTITIES– Amend BA agreements– Plan for requests for amendments to existing

agreements– Develop a strategy for downstream entities

(“sub business associates”)


USE AND DISCLOSURE OF PHI


GENERAL

• Except for TPO, written authorization required for use or disclosure of PHI

• Requires Individual Authorization if– Used for Marketing – Used and Disclosed to Non-Health

Related Entities– Sale, Rental or Barter– Psychotherapy Notes


GENERAL – Marketing and Fundraising

• Issue: “Healthcare Operations”?

• Healthcare Operations– Quality assessment and improvement activities– Professional competence evaluations and

training programs– Conducting and arranging for medical review,

legal services and auditing functions, including compliance programs

– Business planning and development– Business management and general

administrative activities


MARKETING

• Current Rule: Communications that encourage recipient to purchase or use a product or services is “marketing” and requires an authorization except:– Describing a product/service included in

CE’s benefit plan– For treatment– Case management/care coordination or

to recommend alternative treatments to an individual


MARKETING

• Under HITECH, receiving compensation for these communications changes the rules.– Such communication is not healthcare operations

• EXCEPTIONS– Communication by CE describing ONLY a drug or

biologic that is currently being prescribed to recipient, or

– CE or BA receives Valid Authorization from recipient– Communication by BA must be on behalf of CE and

consistent with Business Associate Agreement (BAA)– Payment received is “reasonable in amount” – TBD


FUNDRAISING

• Fundraising activities considered healthcare operations

• The Act continues to permit fundraising activities by the provider using a patient’s PHI so long as any written fundraising provides an opportunity to opt out of future fundraising communications

• If the recipient chooses to opt out of future fundraising communications, that choice is treated as a revocation of authorization– Result: does not change substance of rule, but

increases importance of tracking authorizations

• Cannot be denied treatment as a result of opting out

• DHHS to promulgate regulations


MINIMUM NECESSARY

• Whenever a CE uses or discloses PHI or requests such information from another CE, it must make reasonable efforts to limit the information to the “minimum necessary” to accomplish the intended purpose of the use or disclosure.– HITECH puts medical necessity determination on the

disclosing CE

• Under the Act, Secretary must develop guidance within 18 months from enactment on what constitutes the minimum necessary

• The Secretary must take into consideration the information necessary to improve patient outcomes and to manage chronic disease

• Prior HIPAA exceptions still apply– Request by a healthcare provider for treatment purposes– Disclosure of “limited data set” for specified purposes (e.g.,

research) pursuant to a data use agreement


ACCOUNTING OF PHI DISCLOSURES

• General Rule -- Individuals have a right to an accounting of disclosures of their PHI by a CE during the previous six years, except for TPO use and disclosures

• HITECH extends right to an accounting to CE for TPO uses and disclosures during the previous 3 (rather than 6) years if via EHR

• Effective date of provision depends on when CE acquires EHR– If acquire EHR after 1/1/09 – eff. 1/1/11– If acquire EHR before 1/1/09 – eff. 1/1/14

• Secretary required to issue regulations within 18 months


DISCLOSURES TO HEALTH PLANS

• Current Rule: CE not required to comply with a restriction on CE’s use and disclosure of PHI

• New Rule: Where individual pays for service out of pocket, CE may not refuse to restrict use and disclosure to a health plan where disclosure is for payment or health care operations– CE must have a mechanism to flag– This is a challenge if CE allows health plans

to access EHRs to confirm medical necessity


WHAT TO DO?

• Keep an eye on upcoming regulations

• Review IT capabilities for new accounting responsibilities – Not effective until 1/1/2011 at the earliest

• Does a use or disclosure activity fit within “Healthcare Operations”?


INCREASED ENFORCEMENT AND PENALTIES


Enforcement

• A violation of HITECH by a covered entity is subject to HIPAA’s criminal and civil penalties.

• The Secretary of HHS is required to conduct “periodic” audits to ensure that covered entities and business associates are complying with HITECH and HIPAA.


Enforcement

Enforcement by State Attorneys General• HITECH permits State Attorney Generals to

bring civil actions in federal district court on behalf of their residents for violations of HIPAA

• to enjoin further violations

• to obtain damages ($100 per violation; Limit of $25,000 for all violations of an identical requirement in a calendar year).


Safeguarding Access to Health Information and Medical

Identity: Breach Notification

January 28, 2010

Salvatore G. Rotella, Jr.Cozen O’Connor

1900 Market StreetPhiladelphia, PA 19103

(215) 665-3729(215) 701-2129 (fax)[email protected]

Presented by:


Breach Notification Law and Regulations

• “Notification in the case of breach” -- Section 1342 of HITECH (The Health Information and Technology for Economic and Clinical Health Act), 42 U.S.C. § 17932

• HITECH a part of Stimulus Bill (American Reinvestment and Recovery Act of 2009)

• CMS issued interim final rule, “Breach Notification for Unsecured Protected Health Information,” on August 24, 2009 (74 Fed. Reg. 42740), 45 C.F.R. § 164.400-164.414


Overview of Response to Potential Breach

• Determine if there was a breach• Give notice to affected individuals• Give notice to media (if necessary)• Give notice to HHS (now or later)• Address state law issues


Was there a breach?(Definitions)

• Breach: the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information – i.e., poses a significant risk of financial, reputational, or other harm to the individual

• PHI: any information, whether oral or recorded in any form or medium, that is created or received by a Covered Entity that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and that either indentifies or can be used to identify the individual


Was there a breach?(Questions to ask)

• Was PHI involved?• Was PHI unsecured? Only deemed not unsecured

if PHI was encrypted or destroyed.– Encrypted? Algorithmic process used to

transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key

• Process must meet National Institute of Standards and Technology (NIST) publication requirements for “data at rest” (in databases) or “data in motion” (moving through network) – www.csrc.nist.gov

– Destroyed?• Paper, film, or other hard copy shredded or destroyed• Electronic media purged or destroyed consistent with

NIST publication requirements



• Was there acquisition, access, use, or disclosure in violation of the Privacy Rule?

• Do any of the three exceptions to breach apply?– Unintentional, good faith use by workforce employee

within scope of employment and no further impermissible use

• Nurse mistakenly sends email with PHI to billing employee, who tells nurse and deletes email

– Inadvertent disclosure by one workforce member authorized to access PHI to another, and no further impermissible use

– Covered Entity/Business Associate reasonably believes that unauthorized person to whom information was disclosed would not have been able to retain it

• EOB sent in the mail to wrong patient comes back unopened as undeliverable



• Does the use or disclosure of PHI pose a significant risk of financial, reputational, or other harm to the individual whose PHI is at issue? – Who impermissibly used or disclosed the PHI,

and to whom was it disclosed?– Any immediate steps taken to mitigate

potential harm of use or disclosure (e.g., assurance from recipient that he or she destroyed PHI)?

– Whether PHI was returned prior to it being accessed for an improper purpose?

– Type and amount of PHI used or disclosed– If disclosed PHI was in a Limited Data Set, the

risk of re-identification of the individual


Notice to Affected Individuals(Timing of Notice)

• Give notice to affected individuals without unreasonable delay and within 60 days of discovery of breach

• Breach considered discovered as of first day it is known to Covered Entity or its agent, or would have been discovered by either through exercise of due diligence

• Business Associate contracting issues for CE– Provision stating that Covered Entity and Business

Associate are independent contractors– Provision requiring Business Associate to notify

Covered Entity of potential breach within 5 days– Provision requiring Business Associate to indemnify

Covered Entity for cost of providing notification


Notice to Affected Individuals(Content of Notice)

• Brief description of incident, including date of breach and discovery

• Description of types of unsecured PHI that were involved

• Steps individuals should take to protect themselves from potential harm resulting from breach

• Brief description of what Covered Entity is doing to investigate breach, mitigate harm, and protect against future breaches

• Contact procedures to learn more (toll-free phone number, email address, website, or postal address)

• Federal Trade Commission website and toll-free number (in light of State identity theft laws)


Notice to Affected Individuals(Methods of Notification)

• Written notice by first class mail, if Covered Entity has contact info– To next of kin if deceased, to personal representative if

minor– May provide notice by email, if individual has agreed to

receive electronic notices• Substitute notice, if Covered Entity does not have contact info

– 9 of fewer affected individuals: by alternative form of written notice, telephone, or other means

– 10 or more affected individuals:• Through 90-day posting on CE’s website or notice in major

print or broadcast media in geographic areas where the affected individuals likely reside

• Include toll-free number active for 90 days with info on breach

• Urgent notice, if there’s possible imminent misuse: notice by telephone or other appropriate means in addition to written notice


Notice to Media

• If breach of unsecured PHI involved more than 500 residents of a single State or jurisdiction (e.g., city or town), notice must be given to “prominent media outlets serving the State or jurisdiction”

• Media notice is in addition to written notice to affected individuals

• Media notice must meet same timing and content requirements as written notice

• Most covered entities will issue press release to meet media notice requirement


Notice to HHS

• Breach involving 500 or more individuals: Covered Entity must notify Secretary of HHS as soon as reasonably possible and not later than sixty (60) calendar days following discovery. Notice to be submitted electronically on form found at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

• Breach involving fewer than 500 individuals: Covered Entity must provide a log of all such breaches to the Secretary within 60 days of the end of the calendar year. Notice to be submitted electronically on form found at website.


Law Enforcement Delays

• If law enforcement official states to Covered Entity that notification would impede a criminal investigation or cause damage to national security, Covered Entity must:– If statement is in writing and specifies

length of delay, delay notification accordingly

– If statement is oral, document statement, and delay notification for no longer than 30 days from date of statement (unless written request for delay is also made in that time)


State Law Issues(Overview)

• 45 States, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. See National Conference of State Legislatures, December 9, 2009 posting.

• Various bills introduced in Congress to create federal law to protect all personal information maintained in electronic format by businesses engaged in interstate commerce– Data Accountability and Trust Act (passed by House in

December 2009)– Personal Data Privacy and Security Act of 2009

(introduced in Senate in July 2009 and in committee)

• State laws are not preempted by HITECH to the extent Covered Entity can comply with both


State Law Issues(Focus on Identity Theft)

• State laws generally apply if a breach involves an impermissible use or disclosure of personal information maintained in an electronic format

• Personal information defined as the first name or first initial and last name of an individual who is a resident of the State, linked with one of the following data elements:– social security number;– driver’s license or State identification card

number; or– account number or credit/debit card number, in

combination with PIN.


State Law Issues(Notice Obligations)

• State laws require Covered Entity to provide notice to affected individuals in a format substantially similar to HITECH requirements

• If the breach involves more than 1,000 affected individuals, also notify all consumer reporting agencies that compile or maintain files on consumers on a nationwide basis, as defined by subsection (b) of section 603 of the federal Fair Credit Reporting Act (15 U.S.C. § 1681a), of the timing, distribution and number of notices


State Law Issues(Pennsylvania)

• Pennsylvania: Breach of Personal Information Notification Act, 73 P.S. § 2301 et seq.

• Law enforcement request for delay must specifically reference PA law (73 P.S. § 2304)

• “An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the entity’s primary or functional Federal regulator shall be in compliance with this act” (73 P.S. § 2307(b)(2))


State Law Issues(New Jersey)

• New Jersey: New Jersey Identity Theft Prevention Act, N.J.S.A. § 56:8-163

• Must alert State Police of breach of personal information before providing notice to affected individuals

• “Notwithstanding subsection [d] of this section, a business or public entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and is otherwise consistent with the requirements of this section, shall be deemed to be in compliance with the notification requirements of this section if the business or public entity notifies subject customers in accordance with its policies in the event of a breach of security of the system.” N.J.S.A. § 56:8-163(e)


Safeguarding Access to Health Information and Medical

Identity: Identity Theft Red Flags

Rule

January 28, 2010Katherine M. Layman

Cozen O’Connor1900 Market Street

Philadelphia, PA 19103(215) 665-2746

(215) 701-2446 (fax)[email protected]

Presented by:


Overview

• The Red Flags Rule implements certain sections of the Fair and Accurate Credit Transactions Act of 2003, and requires financial institutions and creditors with covered accounts to develop, implement, and administer a written Identity Theft Prevention Program designed to detect the warning signs – or "red flags" – of identity theft, take steps to prevent the crime, and mitigate any damage


Overview

• The Rule was enacted in November 2007 but enforcement has been delayed several times due to concerns regarding who constitutes a “creditor” and thus, is subject to the Rule

• Enforcement is currently set to begin June 1, 2010


Applicability

Who Must Comply: – Financial institutions

• State or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer

– Creditors• Very broadly defined• Includes businesses or organizations that regularly

defer payment for goods or services or provide goods or services and bill customers later

• May include health care providers that bill insurers and are not actually paid until after services are rendered


Covered Accounts

• Rule applies to “covered accounts” maintained by financial institutions and creditors– Two types of covered accounts:

• a consumer account you offer your customers that is primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. E.g., credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.

• any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. E.g., small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft.


Identity Theft Prevent Program

• If you are a creditor or financial institution with covered accounts, you must develop and implement a written Identity Theft Prevention Program.

• The Program must be: – designed to prevent, detect, and

mitigate identity theft in connection with the opening of new accounts and the operation of existing ones, and


Identity Theft Prevent Program (Cont’d.)

– appropriate to the size and complexity of your business or organization and the nature and scope of its activities. A company with a higher risk of identity theft or a variety of covered accounts may need a more comprehensive Program.


How to Comply: A Four Step Process

STEP 1: Identify relevant red flags• What are “red flags”?

– Potential patterns, practices, or specific activities indicating the possibility of identity theft

• Although there’s no one-size-fits-all approach, consider:

– Risk Factors– Sources of Red Flags– Categories of Common Red Flags


How to Comply (Cont’d)

• Five categories of red flags:– Notifications, alerts, or warnings from a

consumer reporting agency;– Suspicious documents;– Suspicious personally identifying

information;– Unusual use of, or suspicious activity

relating to a covered account; and– Notices from consumers, victims of identity

theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts



• When determining which red flags exist, creditors should consider:– Past incidents of identity theft;– Previously identified methods of identity

theft that reflect changes in identity theft risks; and

– Applicable supervisory guidance



STEP 2: Detect red flags• Set up procedures to detect those red flags

in your daily operations– New Accounts

» Reasonable procedures may include getting a name, address, and identification number and, for in-person verification, checking a current government-issued identification card, like a driver’s license or passport

– Existing Accounts» Reasonable procedures to authenticate

customers (confirming that the person you’re dealing with really is your customer), monitor transactions, and verify the validity of change-of-address requests



STEP 3: Prevent and mitigate identity theft• If you spot the red flags you’ve identified,

respond appropriately to prevent and mitigate the harm done. Your response depends upon the degree of risk posed.

• Appropriate responses include:– monitoring a covered account for evidence of

identity theft– contacting the customer– changing passwords, security codes, etc.– closing an existing account– reopening an account with a new account number – notifying law enforcement – determining that no response is warranted under

the particular circumstances



STEP 4: Update your program– The Rule recognizes that new red flags

emerge as technology changes or identity thieves change their tactics. Thus, creditors should update the Program periodically to reflect current identity theft risks.

– Factors to consider include: • the creditor’s experience with identity theft; • changes in identity theft methods; • changes in new methods to detect, prevent, and

mitigate identity theft; • changes in the accounts the creditor offers; and • changes in the creditor’s business and

arrangements


Administering the Program

• The board or an appropriate committee (or if no board, someone in senior management) must:– Approve the initial written Program; – Oversee, develop, implement, and administer

the Program (board may designate a senior employee to do so);

– Assign specific responsibility for the Program’s implementation;

– Review staff reports regarding the organization’s compliance;

– Approving changes to the Program; and– Train appropriate staff


Administering the Program (Cont’d)

• Reports:– The person responsible for the Program

should report at least annually to the board or a designated senior manager regarding compliance

– Report should evaluate the effectiveness of the Program in addressing the risk of identity theft, monitoring of service provider arrangements, significant incidents of identity theft and responses, and recommended changes to the Program


Administering the Program (Cont’d)

• Service Providers:– Creditor must monitor the activities of its service

providers- those that perform activities in connection with covered accounts (opening or managing accounts, billing customers, providing customer service, collecting debts, etc.)- and ensure that they take reasonable steps to detect, prevent, and mitigate identity theft

– Creditor may accomplish this by:• Including a provision in contracts requiring provider to have

appropriate policies and procedures and report red flags to creditor or respond appropriately

• Giving them a copy of creditor’s Program• Reviewing providers’ red flags policies• Requiring periodic reports about red flags and their response


Final Thoughts

• Several pieces of legislation were introduced in 2009 to restrict the definition of “creditor” and exempt certain businesses from the Rule; none have passed

• AMA objects to the FTC’s view that health care providers are covered by the Rule

• Prepare now for June 1 enforcement date, although it is possible the FTC will delay enforcement yet again

Date post:	16-Jan-2016
Category:	Documents
Upload:	doreen-mccormick
View:	213 times
Download:	0 times

500 Attorneys 21 Offices © 2009 Cozen O’Connor. All Rights Reserved. Katherine M. Layman...

Documents