HIPAA Final Omnibus Rule Takes Effect on 9/23/13

 September 6, 2013

HIPAA Final Omnibus Rule Takes Effect September 23, 2013

Here is a List of Requirements to Assist Healthcare Covered Entities and Business Associates With Compliance

The HIPAA Final Omnibus Rule takes effect on September 23, 2013.  According to the United States Department of Health and Human Services (HHS), “a major goal of the [HIPAA] Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public’s health and well-being.”  With the HHS Office for Civil Rights imposing more severe penalties for violations, this overview and checklist will help guide you and your organizations to compliance.

I.               OFFENSIVE ACTIONS.

Training

HHS requires periodic privacy and security training for all employees of healthcare organizations. This is critical, given that the Health Care Compliance Association/Society of Corporate Compliance and Ethics survey found that the leading source (38 percent) of breach incidents is due to lost paper files and that the leading source of discovery of these incidents is from non-IT employees.  This suggests that data security and patient privacy issues are closely linked to policies and procedures, and employee training.

Workforce Training        Not completed.

       Completed but not Documented.

       Completed and Documented.

Use and Disclosure of Protected Health Information (PHI)

The Final Rule reiterates the importance that healthcare providers meet stringent requirements for patient privacy and data security. The Office for Civil Rights (OCR) has aggressively increased its enforcement toward organizations with lax privacy and security, with stiff penalties for noncompliance.  Some of the new requirements favor increased access to PHI, while others restrict access.  Either way, covered entities must update their policies and procedures to reflect the Final Rule’s mandates regarding the use and disclosure of PHI.  Update policies and procedures regarding the use and disclosure of PHI for the following:

Fundraising

New categories of PHI may be used or disclosed for fundraising, enabling covered entities to better target fundraising efforts.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Marketing

The Final Rule redefines marketing to include receiving remuneration from a third party for describing their product or service.  CEs must obtain authorization for third-party marketing.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Designated third-party receipt of PHI

Requests must be made in writing, and clearly identify the recipient and where to send the PHI.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

Ban on sale of PHI

The Final Rule prohibits, with exceptions, the sale of PHI without authorization.  This ban applies to limited data sets.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Restrictions on disclosure when paid in full

CEs must agree to an individual’s request to restrict disclosure to a health plan if the individual pays in full for a service or item.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Disclosure of genetic information for underwriting purposes

Health plans may not use or disclose genetic health information for underwriting purposes.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

School immunizations

CEs may release immunization records to schools without an authorization if done pursuant to HIPAA standards.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Decendent Information

Decedents’ PHI is under HIPAA protection for 50 years after death.  The Final Rule enables CEs to continue communicating with relevant family and friends after an individual’s death.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

Privacy Notices

Covered entities must change their privacy notices to reflect new privacy practices and patient rights.  Update notice of privacy practices to include:

Prohibition of sale of PHI        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Duty to notify in case of a breach        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Right to opt out of fundraising        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Right to disclosure restrictions when paid in full        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Limit on use of genetic information        Not completed.

       Completed but not Documented.

       Completed and Documented.

Electronic Copies of PHI

Patients now have the right to get electronic copies of all of their electronic medical records upon request, rather than a hard copy, even if the electronic copy is not readily reproducible.  Patients can also direct that a designated third party receive copies.

Provide a method for patients to receive electronic copies of electronic PHI.        Not completed.

       Completed but not Documented.

       Completed and Documented.

Research

HHS finalized its proposal to allow a blending of “conditioned” and “unconditioned” authorizations for research into a single document, where individuals can simply opt-in to the unconditioned authorization.  In addition, one-time authorization may be applied, with notice, for future research. vUpdate research authorization policies/paperwork to:

Allow for combined “unconditioned” and “conditioned” authorizations.        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Allow for authorizations for future research, with notice, to individuals.        Not completed.

       Completed but not Documented.

       Completed and Documented.

II.                  DEFENSIVE ACTIONS.

Assessment of Security Risks

Assess and document risks to PHI relative to regulatory obligations, and develop and implement mitigation strategies for achieving compliance.

Perform a HIPAA security compliance assessment.

A HIPAA security compliance assessment evaluates a CE’s regulatory obligations; existing administrative, technical and physical safeguards; and gaps along with recommendations for ensuring regulatory compliance and best practices.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

Conduct a security risk analysis.

A risk analysis is a prospective and in-depth analysis of the risks to a covered entity’s information assets involving electronic PHI and recommendations to meet the requirements of the HIPAA Security Rule — including updated requirements in the Final Rule.  This is also a requirement for meaningful-use attestation by covered entities.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

Mitigation and Action

Take proper steps to mitigate the likelihood and impact of a data breach based on the assessment of your organization’s security risks.

Develop risk mitigation scope.

Review and prioritize the risks revealed by your risk analysis based on their business impact and likelihood of occurrence.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Create a mitigation plan.

Develop a risk mitigation plan including prospective schedules for addressing security vulnerabilities and required budgets and resources.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Update relevant security policies and procedures.

Revisit and update security policies and procedures for these high-risk items.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Evaluate and implement security technologies.

Based on the risk analysis, implement or update safeguards and technologies to protect PHI.  Pay special attention to encrypting PHI in all modes — in motion, at rest, etc. according to NIST specifications.  Doing so provides a safe harbor from data breach notification requirements in many cases.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

III.                Breach Notification Rule

Background: Under the interim final rule, a breach crossed the harm threshold if it “pose[d] a significant risk of financial, reputational, or other harm to the individual.”  The HIPAA Final Omnibus Rule removes the harm standard, replacing it with a new compromise standard.  However, the Final Rule does not explicitly define the term “compromise.”  Covered entities must still conduct an incident risk assessment for every data security incident that involves PHI.  Rather than determine the risk of harm, however, the risk assessment determines the probability that PHI has been compromised.  The risk assessment must include a minimum of these four factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed;
  4. The extent to which the risk to the protected health information has been mitigated.

If your organization has a security or privacy incident involving PHI, and your risk assessment concludes there was a very low probability that PHI was compromised, you may choose to not notify the affected individuals or OCR.  However, the Final Rule requires that your organization maintain a burden of proof if your conclusions are called into question — or demonstrate that one of the existing exceptions to the definition of breach applies.

Policies and Procedures.

Update policies and procedures to enable you to:

Detect and escalate a potential breach to your incident response team.        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Conduct incident risk assessments per the Final Rule.        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Provide supporting documentation to meet your burden of proof, including your incident risk assessment methodology.        Not completed.

       Completed but not Documented.

       Completed and Documented.

Incident Response Planning & Testing

Prepare, document, and test the proper steps for a breach response following a data security or privacy incident that complies with the new breach definition outlined in the Final Rule.

Planning

• Update your incident response plan by incorporating your new incident risk assessment methodology and associated updates to your policies and procedures.

• Identify methods for detecting a breach.

• Determine types of notification based on the level of risk.

• Identify the response team and designate roles and responsibilities.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Testing

• Retrain your incident response team and workforce members on incident reporting protocol.

• Periodically conduct a tabletop or full-scale test and make needed adjustments.

       Not completed.

       Completed but not Documented.

       Completed and Documented.

Incident Risk Assessment

Define and document a method for consistent incident risk assessment using the four factors required by the Final Rule.  Ensure that your method provides the necessary decision support to determine if an incident is a reportable breach or not and meets your burden of proof obligations under the Final Rule.

Method uses the four factors required by the Final Rule.        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Method provides decision support and meets your burden of proof obligations under the Final Rule.        Not completed.

       Completed but not Documented.

       Completed and Documented.

IV.               Business Associates

Background: The HIPAA Final Omnibus Rule extends the definition of a business associate as one that “creates, receives, maintains, or transmits” PHI on behalf of a covered entity.  This definition now also encompasses subcontractors that manage PHI and specific categories of organizations, namely:

  1. Health information organizations (HIOs).
  2. E-prescribing gateways.
  3. Patient safety organizations.
  4. Vendors of PHI that provide services on behalf of a covered entity.
  5. Data storage vendors that maintain PHI even if their access to PHI is limited or nonexistent.

Covered entities should review their roster of vendors, service providers, and other third parties and enter into contracts (that include the BA Definition Scope Expansion) with these “new” business associates.  In addition, covered entities must enter into a contract with all business associates, but they are not required to enter into direct contracts with subcontractors of their business associates and other downstream entities.  The same chain of contracts applies.  These contracts must specify compliance with the Breach Notification Rule.  If a covered entity designates HIPAA responsibility to a business associate, the contract must also specify that the business associate will comply with HIPAA regulations.

New Definition of Business Associates

Prepare, document, and test the proper steps for a breach response following a data security or privacy incident that complies with the new breach definition outlined in the Final Rule.

Create new contracts with entities that fit the new definition of a business associate.        Not completed.

       Completed but not Documented.

       Completed and Documented.

Update Business Associates Contracts

These contracts must specify:

Compliance with the Breach Notification Rule.        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Liability for HIPAA compliance.        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

Assurances that they and subcontractors will safeguard PHI.        Not completed.

       Completed but not Documented.

       Completed and Documented.

 

The HIPAA Final Omnibus Rule impacts nearly every aspect of a covered entity’s patient privacy and data security measures.  But with this task list, compliance doesn’t have to be daunting.  And you don’t have to go it alone.  Shawn M. Lindsay at Harris Berne Christensen LLP is available to help along the way.

Contact Shawn Lindsay today at 503.596.2928; shawn@hbclawyers.com