HIPAA CHANGES: HITECH ACT AND BREACH

NOTIFICATION RULES

February 3, 2010

Kristen L. Gentry, Esq.

Catherine M. Stowers, Esq.

Overview: The Privacy and Security Rules

HIPAA Privacy Regulations effective April 14, 2003(4) (“Privacy Rule”)

HIPAA Security Regulations effective April 20, 2005(6) (“Security Rule”)

Rules apply to Health Plans, Health Care providers and Health Care Clearinghouses – HIPAA “Covered Entities”

Self-funded health plans (including HRAs, health flexible spending plans) required to fully comply with Privacy and Security Rules; fully-insured plans (group medical, dental vision policies) have limited compliance obligations because of limited PHI access.

HIPAA’s Privacy and Security Rules Apply to “PHI”

• Under the Privacy Rule, any unauthorized uses and disclosures of participants’ “PHI” by the Plan are prohibited

PHI Defined: information about past, present, or future physical or mental health condition, or payment for medical treatment, if the information identifies or could be used to identify the participant. Includes electronic information (“ePHI”) as well as any other form.

Does not include employment/FMLA records, disability insurance records, ADA information, drug screen results, or fitness for duty tests maintained by an employer outside of its role as Plan sponsor.

Certain Uses and Disclosures of PHI Permitted

Uses and Disclosures between Covered Entities Uses and Disclosures for Treatment, Payment,

and Health Care Operations (“TPO”) Uses and Disclosures to a Business Associate

(organization providing administrative, consulting or other services to the Plan) if BA agreement in place

Uses and Disclosures pursuant to a valid HIPAA authorization

Individual Rights Created; Compliance Steps Required

Individual rights include right to notice of privacy practices, right to request restrictions on PHI uses and disclosures, right to confidential communications, right to access and amend PHI, and right to accounting of disclosures.

Plan required to appoint Privacy Officer and Security Officer

Plan amendments required so Plan sponsor could access PHI

Standards related to scope of permitted disclosures (“minimum necessary standard”), marketing, sale and other uses of PHI implemented

Privacy and Security Policies and Procedures

Plan must adopt privacy and security policies and procedures to address its compliance with all aspects of HIPAA Privacy Rule and Security Rule, including:

• How and to whom PHI will be used and disclosed, including a policy for identifying and entering into Business Associate agreements;

• Which Plan employees will be authorized to access PHI;• How workforce training will be addressed; • How participant rights will be protected;

Privacy and Security Policies and Procedures

How internal safeguards will be established (e.g. access controls, firewalls, encryption, password protection);

What policy and process will apply for complaints and sanctions related to HIPAA violations;

How administrative, technical and physical safeguards required by Security Rule will be addressed and implemented.

Other Key HIPAA ConceptsPrior to HITECH Act

Business Associates (BAs) of Plans only obligated to comply with HIPAA as required in Business Associate agreements.

Informal Compliance Assistance provided by CMS and OCR; enforcement was not aggressive and health plan HIPAA audits were uncommon.

No Private Right of Action.

HIPAA Changes in ARRA

HIPAA Privacy and Security Rules unchanged until the American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009.

The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) amended HIPAA relating to electronic health records, breach notification, increased penalties and enforcement

Generally effective beginning February 17, 2010

Key Change #1: Applicability of HIPAA Privacy & Security Rules to

Business Associates Business Associates (BAs) are now required to

directly comply with the HIPAA Privacy and Security Rules similar to Covered Entities.

BAs directly subject to HIPAA’s civil and criminal penalties for HIPAA Privacy and Security Rule violations. BAs previously bound only by terms of business

associate agreements; breach of contract action by Plan only avenue to address violations.

Key Change #2: The Breach Notification Regulations

Prior to HITECH, no legal requirement to affirmatively notify participants of incident involving the unauthorized use or disclosure of PHI; only required to inform participants if they asked.

New regulations make breach notification requirements effective as of September 23, 2009, and subject to sanctions for violations any time on or after February 22, 2010.

A Breach Involving PHI A “Breach” occurs if:

• An unauthorized access, use or disclosure of PHI occurs, and

• The access, use or disclosure compromises the security or privacy of the PHI.

• Security or privacy is compromised if the use or disclosure “poses a significant risk of financial, reputational or other harm to the individual.”

If an unauthorized use or disclosure is discovered, the Plan must perform a risk assessment to determine if the use or disclosure poses a significant risk of harm, thereby requiring notification.

Exemptions from Breach Notification Requirements

“Secured” PHI Encrypted (if electronic PHI) Destroyed (if paper PHI)

A “Limited Data Set” with zip codes and birth dates removed

Certain disclosures between HIPAA covered entities and workforce members who have a duty to protect the information

Required Action Steps in theEvent of a Breach

Discovery of the Breach Breach is considered discovered as of the 1st day of the

breach being known by the Plan (or its agent), or when, by exercising reasonable diligence, it would have been discovered.

Knowledge of a breach by a workforce member or agent (BA) is attributed to the Plan

Time period begins to run upon knowledge of event occurring, even before risk assessment completed to determine if harm could result from incident.

Notification of Breach to Individuals

Once privacy or security incident is discovered, Plan must complete a risk assessment to determine if harm to individuals could result from incident. Factors to consider – who, what, why, when, how? Subjective

analysis.

If harm possible, notification by Plan directly to individuals affected by breach is required no later than 60 calendar days after discovery of the breach.

Notification to Media Outlets and Secretary of HHS

If Plan does not have contact information for 10 or more affected individuals, then Plan must post a conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside.

If more than 500 residents of a state, Plan must notify prominent media outlets of the breach. (This is in addition to the individual notices mentioned above).

If more than 500 individuals’ PHI involved, then the Plan must immediately notify the Secretary of HHS of the breach; if less than 500 individuals’ PHI involved, Plan still must notify HHS, but may wait until 60 days after the end of the calendar year.

Key Change #3: HeightenedCivil Enforcement

Under HITECH, civil penalties for HIPAA violations have increased, and HHS is required to investigate complaints of privacy and security breaches.

HHS has announced HIPAA audit initiative Penalty Regulations effective on November 30,

2009, and apply to violations after February 17, 2010

New Penalty Structure under Interim Final Regulations

Plan Unaware of Violation: minimum civil penalty is $100 per violation

Violation Due to Reasonable Cause: minimum is $1,000 per violation

Violation Due to Willful Neglect; Corrected Within 30 Days: minimum is $10,000 per violation

Violation Due to Willful Neglect; Not Corrected: minimum is $50,000 per violation

Each level of penalty carries with it a maximum of $50,000 per violation, and an overall limit of $1,500,000 for identical violations in a calendar year.

Criminal Liability Also Possible

Plan employees (as well as business associates) who obtain or disclose PHI without authorization may also be criminally liable.

Criminal liability generally extends to intentional harmful conduct for profit or personal gain.

Key Change #4: Additional Legal Remedies for Breaches

In addition to criminal and civil penalties, the new law creates additional remedies: State Attorney General may bring action for injunctive relief or

damages on behalf of state residents adversely affected by HIPAA violation

Connecticut AG recently announced legal action for injunction/civil penalties against Health Net based on missing computer disk drive, and failure to take prompt action to mitigate/notify

Individuals may be awarded a percentage of civil monetary penalties collected for violations

Key Change #5: Increased Restrictions and Individual Rights

“Minimum Necessary” disclosures restricted to “Limited Data Set unless impracticable; regulations expected

“Health Care Operations” definition will be modified to further restrict disclosures for TPO; regulations expected

Increased restrictions on marketing and sale of PHI Changes made to individual rights –

Additional restrictions on provider disclosures to health plans (cash payments)

Changes related to Electronic Health Records (“EHRs”) If EHRs used, Plan must account for all uses and disclosures Requires Plans to provide PHI electronically if EHRs used

Task List: Steps for HIPAA/HITECH Compliance

Revisit plan documents to ensure HIPAA required amendments are in place, and reissue Privacy Notice if necessary (required every 3 years).

Revise HIPAA policies to incorporate HITECH provisions, risk assessment and breach notification requirements, OR implement up-to-date HIPAA policies for all group health plans if not previously adopted.

Revisit Security Rule requirements to ensure administrative, technical, and physical safeguards in place, OR implement Security Rule requirements for ePHI if not previously completed.

Task List: Steps for HIPAA/HITECH Compliance

• Encrypt or password protect ePHI wherever practicable; review company policies for laptop computers and PDAs.

• Identify and conduct training of workforce members handling PHI, provide additional training for new HITECH Act provisions.

• Review workforce sanction policy (or implement if needed).

Ensure that Business Associate agreements are in place with all service providers handling PHI for the Plan, and that those agreements are updated for HITECH.

QUESTIONS???CONTACT INFORMATIONCONTACT INFORMATION

Katy StowersKaty Stowers cstowers@kdlegal.com

(317) 238-6257(317) 238-6257 Kristen GentryKristen Gentry

kgentry@kdlegal.com

(317) 238-6288