Date post: | 15-Apr-2018 |
Category: |
Documents |
Upload: | doannguyet |
View: | 214 times |
Download: | 2 times |
AHLA
Physicians and Hospitals Law Institute ● February 5-7, 2014
D. The Impact of HIPAA on Medical Practices in a Post-HITECH World Kimberly Short Kirk Moore & Van Allen PLLC Charlotte, NC Brad M. Rostolsky Reed Smith LLP Philadelphia, PA
1
The Evolution of HIPAA: Impact of HITECH and
Increased HIPAA Enforcement on Physician Practices
Kimberly Short Kirk
704-331-3524
Brad M. Rostolsky
215-851-8195
HIPAA Implications of Physician-Hospital
Integration
2
Affiliated Covered Entities
Single covered entity
Common ownership/ control
All members must be a covered entity
Designation must be documented
Combined functions then all requirements apply
Affiliated Covered Entities
Single set of policies
Common training program and Privacy Officer
One NPP
Joint BAAs
Practical?
Joint liability
3
Organized Health Care Arrangements
Hold selves out as participating in joint arrangement
Joint activities must include:
UR;
QA; or
Payment activities if OHCA shares financial risk for services
Organized Health Care Arrangements
May disclose PHI for health care operations of OHCA
No designation required
Implement required safeguards for shared PHI?
4
Security Rule Risk Assessments&
OCR Audits
General Requirement
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the
Confidentiality
Integrity
Availability
of electronic protected health information held by the entity
5
The times they are a changing …
Mobile devices
Phones
iPads, etc.
Flash drives
Web-based email and applications (e.g., scheduling, billing)
Dependency on vendors
Important Considerations Frequency
Associated exposure/risk
Entity “buy-off”
Cost
Outside vendor vs. internally conducted
Role of attorney
Given current enforcement environment and introduction of audits, risk assessments are a criticalaspect of overall HIPAA compliance.
6
HHS/OCR Audits
Pilot Program launched in November 2011
Pilot was for 115 covered entities
Process:
Initial response
time: 10 days!
HHS/OCR Audits
Touted as a “compliance improvement activity”
Contracted to KPMG
Get your documentation in order NOW
Emphasis on Security Rule Risk Assessment
Impact of recent OIG report??
7
Enforcement
14
HITECH Enforcement CMPLevels
Violation Category Each Violation All Identical Violations per Calendar Year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect Corrected
$10,000 - $50,000 $1,500,000
Willful Neglect Not Corrected
$50,000* $1,500,000
8
HIPAA Enforcement: Recent Examples Dermatology Practice: $150,000 Settlement, Corrective Action Plan
OCR investigation following theft of unencrypted thumb drive containing ePHI of 2,200 patients
No Security Rule Risk Assessment; failed to have policies and procedures in place addressing breach notification
Medical Center: $275,000, Corrective Action Plan
Two Medicare Center leaders discussed medical services provided to a patient with the media without proper authorization
Failed to safeguard patient’s PHI and failed to sanction workforce members pursuant to internal sanctions policy
Pathology Practices: $140,000 Settlement
Massachusetts Atty. Gen. fine stemmed from improper disposal of paper medical records of 67,000 residents
Failed to have appropriate safeguards in place to protect the personal information provided to BA; no BAAs between pathology groups and BA 15
HIPAA Enforcement: Recent Examples Eye and Ear Practice: $1.5 million Settlement, Corrective Action Plan
OCR investigation following theft of an unencrypted personal laptop containing ePHI of patients and research subjects
No Security Rule Risk Assessment; failed to implement security measures to ensure confidentiality of ePHI; failed to implement policies and procedures
Cardiology Practice; $100,000 Settlement, Corrective Action Plan
OCR investigation following report that practice was posting clinical and surgical appointments on publicly accessible Internet-based calendar
No Security Rule Risk Assessment; failed to implement policies and procedures; failed to document employee training; failed to identify security officer; failed to obtain BAAs
16
9
Patient ComplaintsOCR Inquiries/Investigations
Responding to Patient Complaints
HIPAA Privacy Rule gives patients the right to make complaints to covered entity and OCR.
Does covered entity have other relevant policies?
Notice of Privacy Practices
10
Responding to Patient ComplaintsPractical Considerations
Train all employees to report all potential incidents– not just formal complaints
Document all conversations with complainant– may need to have to gather information
Watch disclosure of sensitive employee information
Responding to Patient ComplaintsPractical Considerations
Complaint documentation
Subject of complaint
How investigated (interviews, medical record audit)
Findings
Remedial measures (if none, then reasons why)
Efforts to mitigate
Consider state law notice requirements
11
Responding to OCR inquiries Most common type of covered entity required to take corrective
action: private practices
Complaint requirements In writing Within 180 unless “good cause” OCR must describe basis of complaint to subject covered
entity
Initially, OCR said that it would pursue “informal means” and “seek voluntary compliance” (68 Fed. Reg. at 18897)
6/2012: OCR Director says that tolerance for HIPAA compliance is “much, much lower” than in past in light of history and amount of guidance provided
Cooperation by covered entity required
Responding to OCR inquiries List of questions
Relate to incident that is subject of complaint
Covered entity’s compliance generally
Supporting materials (policies, training logs)
12
Responding to OCR inquiriesPractical Considerations
Time-consuming process
Clear, thorough, accurate response-- include exhibits to support
Expect follow up questions
Remedial actions
Training
Revisions to policies
Employee sanctions
Breach notices
Assess compliance generally
Workforce Training
13
HIPAA Training
Frequency
Documentation!!
Content
Workforce members vs. business associates
Exposure
Logistics
Breach Notification Rule
14
Breach Notifications and Reporting Requirements
Prior to HITECH Act, no federal requirement to notify individuals of breaches existed
Entities of all sizes and kinds have reported breaches
Blue Cross Blue Shield of TN (March 2012): $1.5M Phoenix Cardiac Surgery, P.C. (April 2012): $100,000 Alaska DHHS (Medicaid beneficiaries) (June 2012):
$1.7M
Corrective Action Plan required in addition to imposition of fine
Breach Notifications and Reporting Requirements
Interim Final Rule (Sept. 2009):
Risk of harm assessment
Is there a “significant risk of financial, reputation or other harm”?
15
Breach Notifications and Reporting Requirements
HITECH Final Rule (January 2013)
New assessment intended to be more objective and uniform
Presumption of breach
Must demonstrate “low probability” that PHI has been “compromised” after conduct risk assessment
Breach Notifications and Reporting Requirements
Risk assessment of at least 4 factors
Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
Unauthorized person who used the PHI or to whom the disclosure was made
Whether the PHI actually acquired or viewed
Extent to which the risk to the PHI has been mitigated
16
Breach Notifications and Reporting Requirements
Utilize committee/ multiple people in entity to make determination regarding risk
Document analysis of 4 risk factors
Consistency where possible
Breach Notifications and Reporting Requirements
Advise liability carrier?
Drafting notices:
Clarity– avoid unnecessary concerns
Describe what was and was not disclosed
Train/ inform contact persons
Determine whether need media or substitute notice
17
Breach Notifications and Reporting Requirements
Notice to Secretary Be thorough when completing online form
Breach notice filings as source of investigations
Maintain log of breaches
Procedure so will remember to file notice by deadline
Breach Notifications and Reporting Requirements
Even if do not provide notice
Remember mitigation obligation
Address underlying issue(s)
Document measures taken
Avoid future incidents
May help if OCR does not agree with assessment
18
Breach Notifications and Reporting Requirements
State Law Reporting Requirements May have different information that triggers
notice and/or reporting obligation May be required in all instances and not
contain risk threshold standard
Business Associate issues Covered entity may have obligations under
BAAs Who makes determination? Who bears
costs?
Business Associate “Management”
19
Changing Obligations
Assess current relationships for BAA compliance
Indemnification
Oversight of BAs
Audit compliance?
Impose safeguards?
Other mechanisms?
Agency risk
Covered Entity exposure
Business Associate breaches
Grandfather period: earlier of
Date of renewal or modification
September 22, 2014
Business Associate Subcontractors
Consistency
“Floor” Provisions
20
Marketing
Marketing Communications
40
Former Privacy Rule. To make a communication about a product or service that
encourages recipients of the communication to purchase or use the product or service
Treatment and certain health care operations communications excluded
Final Rule. Eliminates exceptions for financially remunerated treatment
and health care operations communications.
Prior Authorizations required when a covered entity receives financial remuneration in exchange for making a treatment communication.
21
Marketing Communications
Financial Remuneration.
Defined as monetary direct or indirect payments from the third party whose product or service is being described.
Notably, financial remuneration does not include in-kindbenefits.
Financial Remuneration and Business Associates.
If a business associate (or subcontractor) receives financial remuneration from a third party in exchange for making a communication about a product or service, that communication is marketing and requires an authorization.
41
Marketing Communications
Two Critical Questions:
1. Is the covered entity or business associate receiving financial remuneration?
2. Is the covered entity or business associate receiving the financial remuneration for the purpose of making the communication?
42
22
Marketing Communications
Scope of Authorizations.
Need not be limited to communications describing a single product or service or services of a single third party.
A single authorization may apply to subsidized communications generally.
Exceptions to Authorization Requirement Remain:
Face-to-face communications
Promotional gifts of nominal value
43
Marketing Communications – Prescription Refill Reminder Exception
Financially remunerated prescription refill reminders remain excluded if financial remuneration limited to reasonable costs of making the communication
Recent Guidance from OCR – Two and A Half Critical Questions:
1. Is the communication about a currently prescribed drug or biologic?
2. Does the communication involve financial remuneration, and if so, is it reasonable?
44
23
Marketing Communications – Prescription Refill Reminder Exception
Is the communication about a currently prescribed drug or biologic?
Within Exception:
Refill reminders about a drug or biologic that is currently being prescribed;
Communications regarding generic equivalents;
Communications about a recently lapsed prescription (i.e., within last 90 calendadays);
Adherence communications; and
For individuals who are prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system.
Not Within Exception:
Communications about specific new formulations of a currently prescribed medicine;
Communications about specific adjunctive drugs related to the currently prescribed medicine;
Communications encouraging an individual to switch from a prescribed medicineto an alternative;
45
Marketing Communications – Prescription Refill Reminder Exception
Does the communication involve financial remuneration, and if so, is it reasonable?
Within Exception:
No financial remuneration involved;
Only non-financial or in-kind remuneration, such as supplies, computers, or other materials;
Only payments from a party whose product is not being described (and not on behalf of the party whose product is being described);
Financial remuneration covers only the reasonable direct and indirect costs related to the refill reminder (i.e., labor, materials, and supplies as well as capital and overhead costs)
Involves payment to business associate assisting the covered entity, which is limited to the FMV of the business associate’s services.
Not Within Exception:
Involved financial remuneration not described above. 46
24
Proposed Access Reports Rule
Changes to Accounting Requirements and Access Reports
Modified the accounting requirement currently set forth in the Privacy Rule
Added right to receive an “Access Report”
Specific individuals who have accessed ePHI
Specific action taken
Commenters have noted that complex, cumbersome and costly
25
Changes to Accounting Requirements and Access Reports
Not addressed in HITECH Final Rule
Talk to electronic health record vendors
Notice of Privacy Practices changes
The Evolution of HIPAA: Impact of HITECH and
Increased HIPAA Enforcement on Physician Practices
Kimberly Short Kirk
704-331-3524
Brad M. Rostolsky
215-851-8195