Office of the SecretaryOffice for Civil Rights (OCR)
Federal Update on HIPAA and HITECH Privacy and Security
Enforcement
April 8, 2013- Boston Bar Association
Susan Pezzullo Rhodes, Deputy Regional Manager
Erin Walker, Equal Opportunity Specialist
OCR 2
Topics
• How OCR Enforces the HIPAA Privacy and Security Rules
• Omnibus Rule Highlight of Changes
• HITECH Breach Notification
• Some Lessons Learned
Office of the SecretaryOffice for Civil Rights (OCR)
How OCR Enforces the HIPAA Rules
OCR
Complaints Alleging a Violation
• Every complaint received by OCR is reviewed & analyzed
• An investigation is launched if the facts and circumstances alleged indicate a failure to comply
• Complaints that allege violations under more than one of OCR’s authorities (e.g., privacy, security, or breach notification rules) will be investigated as a single case
4
OCR
Compliance Reviews
• Reviews policies and procedures of a covered entity to determine compliance with the health information privacy rules
• OCR initiates when a media report or information from another agency reports a failure to safeguard PHI or other indication of noncompliance with the HIP rules
• OCR initiates a review in all breach reports of >500 made to HHS
5
OCR
Omnibus Highlights
The changes in the final rulemaking provide the public with increasedprotection and control of personal health information.
Changes expand many of the requirements to business associates of theseentities that receive protected health information, such as contractors andsubcontractors. Some of the largest breaches reported to HHS have involvedbusiness associates.
Penalties are increased for noncompliance based on the level of negligencewith a maximum penalty of $1.5 million per violation.
6
OCR
Omnibus HighlightsThe changes also strengthen the Health Information Technology for Economicand Clinical Health (HITECH) Breach Notification requirements by clarifyingwhen breaches of unsecured health information must be reported to HHS.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes.
7
OCR
Omnibus HighlightsThe rule makes it easier for parents and others to give permission to shareproof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
8
OCR
Not in Omnibus
• HITECH Accounting of Disclosures Rule
• HITECH Distribution of Penalties/Settlements to Harmed Individuals Rule
• HITECH Minimum Necessary Guidance
• HIPAA/CLIA Patient Access to Laboratory Test Reports Rule
9
OCR
Important Dates
• Published in Federal Register – January 25, 2013
• Effective Date – March 26, 2013
• Compliance Date – September 23, 2013
• Transition Period to Conform BA Contracts – Up to September 22, 2014, for Qualifying Contracts
10
Office of the SecretaryOffice for Civil Rights (OCR)
HITECH Breach Notification RuleReports and Trends
OCR
What is a Breach?• Under the old Rule:
– Impermissible use or disclosure of (unsecured) PHI which compromises the security or privacy of the information
• Compromises means poses a significant risk of financial, reputational, or other harm to the individual
• To determine if must notify, preamble stated CE/BA must perform risk assessment, based on at least:– What type or amount of PHI was used or disclosed– Who received/accessed the information– Potential that PHI was actually accessed or acquired– What steps were taken to mitigate
12
OCR
Definition of Breach – New Rule
• Harm standard removed
• Impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on a risk assessment of at least the following:– Nature & extent of PHI involved– Who received/accessed the information– Potential that PHI was actually acquired or viewed– Extent to which risk to the data has been mitigated
• Exceptions for inadvertent, harmless mistakes remain
13
OCR
Breach Notification:500+ Breaches by Type of Breach
OCR
Breach Notification:500+ Breaches by Location of Breach
OCR
Lessons Learned
• Reduce risk through network or enterprise storage as alternative to local devices
• Encryption of data at rest on any desktop or portable device/media storing EPHI
• Clear and well documented administrative and physical safeguards on the storage devices and media which handle EPHI
• Raise the security awareness of workforce members to promote good data stewardship
16
OCR
Culture of Compliance
• In light of OCR's clearly articulated intention to aggressively enforce the HIPAA Privacy and Security Rules, covered entities and business associates should review their current HIPAA compliance programs.
• A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.
OCR 18
Want More Information?
The OCR website, http://www.hhs.gov/ocr/privacy/offers a wide range of helpful information about health information privacy including educational information, FAQ’s, rule text and guidance for the Privacy, Security, and Breach Notification Rules.
