Embed Size (px)
Citation preview
HIPAA Fundraising Fundamentals
for Foundations
WHA’s 2013 Prescription for Success:
A Workshop for Hospital Foundations
August 13, 2013
Presented by:
Monica C. Hocum, Esq. and Leia C. Olsen, Esq.
Agenda
• HIPAA Overview
• Key Dates under the Omnibus Final Rule
• Fundraising Fundamentals
• Other Key Changes under the Final Rule
• Compliance Strategies and Next Steps
HIPAA Overview
• Health Insurance Portability and Accountability Act of 1996
– HIPAA was amended in 2009 by the Health Information Technology and Clinical Health Act (“HITECH”)
– In early 2013, the Final Rule implemented HITECH changes
• HIPAA was enacted due to:
– Increase in electronic exchange of information
– Perception that health information was insecure
Key Dates
• Key Dates of Final Rule:
– January 25, 2013 – publication date
– March 26, 2013 – effective date
– September 23, 2013 – compliance date
– September 22, 2014 – compliance date for grandfathered BAAs
• http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
HIPAA and State Law Pre-emption
• HIPAA establishes a minimum level of privacy for PHI but does not interfere with state laws that provide greater protection
• As such, if a state law is more stringent than HIPAA (i.e., more protective of the confidentiality of the individual’s PHI or allows the individual greater control over PHI), the state law will apply
Key Terms –
Protected Health Information (“PHI”)
• PHI is information that:
– Relates to:
• The past, present or future physical or mental health or condition of an individual;
• The provision of health care to an individual; or
• The past, present or future payment for the provision of health care to an individual
Key Terms -
Protected Health Information (“PHI”) (cont'd)
• PHI is information that (cont’d):
– Is created or received by a covered entity or a business associate that:
• Identifies an individual, or
• Contains enough detail to reasonably identify the individual
– Is transmitted or maintained in any form or medium (including oral or written information)
PHI Exceptions
• PHI does not include: – Education records, including student health records,
covered by federal education laws
– Employment records held by a covered entity in its role as an employer
– Information received from the individual for purposes other than health care (e.g., completion of an information card to participate in a fundraising event)
– Information from sources outside the covered entity (e.g., commercial mailing lists)
Key Terms - De-identified Information
• De-identified information is not PHI
• A health care provider is permitted to use and disclose de-identified information without restriction
• De-identification requires removing 18 different categories of identifiers as they relate to the individual or the individual's relatives, employers or household members
• Often necessary when applying for grants or reporting on use of grant funds
Key Terms - Use and Disclosure of PHI
• Use means the utilization or sharing of PHI within the covered entity
• A disclosure is a transfer or sharing of PHI outside a covered entity
Fundraising Fundamentals
Fundraising – What is it?
• A communication made to an individual on behalf of a hospital* for the purpose of raising funds for the Hospital
• Examples:
– Appeals for money
– Requests for sponsorships of events
• Fundraising is NOT:
– Royalties
– Amounts paid related to sales of products to 3rd parties (except auctions, rummages, etc.)
* We use the term “hospital” generically to refer to all
covered entities that may engage in fundraising activities.
Fundraising – Health Care Operations
• HIPAA allows hospitals to use and disclose PHI without an authorization for treatment, payment and health care operations
• The definition of “health care operations” includes fundraising for the benefit of the Hospital
• HIPAA sets limitations on the Hospital’s use and disclosure of PHI for fundraising purposes
Fundraising –
Minimum Necessary Standard
• Reasonable efforts must be taken to limit the use of PHI to the minimum necessary
• Applies to most internal uses of information , including fundraising
Fundraising - Implementing the
Minimum Necessary Standard
• Requires:
– A specific analysis of who needs access to information to perform their job duties
• Even how information is filtered for fundraising must comply with limitations
– Identification and implementation of reasonable safeguards to prevent others from having access to PHI
Fundraising – Foundations • Three different foundation structures
– Division or department of the Hospital
– Institutionally-related foundation
• Qualifies as a nonprofit charitable foundation under 501(c)(3)
• Has in its charter a statement of charitable purposes and an explicit linkage to the Hospital for which it is fundraising
• Can also have linkage to other hospitals in the community, but must limit use of a hospital’s PHI to fundraising for that hospital
– Business associate of the Hospital
Fundraising – Use and Disclosure of PHI
• The Final Rule expanded the categories of PHI that a hospital may use, or disclose to an institutionally-related foundation or business associate, for fundraising purposes:
– Demographic information (includes name, address, contact information, age and gender)
– Dates of service
– Health insurance status (new)
– Date of birth (new)
– Department of service (new)
– Treating physician (new)
– Outcome information (new)
Fundraising – Use and Disclosure of PHI (cont’d)
• Special considerations:
– Health insurance status – insured/not insured versus type of insurance
– Department of service – NOT diagnosis
– Outcome information – screening purposes only
Fundraising – Requirements
• PHI can not be used for fundraising purposes unless specified in the Notice of Privacy Practices (NPP)
– Opt out methods may be, but do not have to be, in the NPP
• Each fundraising communication must provide a clear and conspicuous opportunity for the individual to opt out of future fundraising communications
– Includes oral fundraising efforts
• May provide individuals who have opted out with a way to opt back in to receiving fundraising communications
• Can always do more with a valid written authorization
Fundraising – Methods of Opting Out
• May provide multiple approaches for opting out but methods may not impose an undue burden or cost on the individual
– Permissible methods: Requiring an individual to call a toll-free number, email or mail a pre-printed, postage paid postcard
– Impermissible methods: Requiring the individual to send a written letter
• Opt out may apply to all fundraising, or by campaign
– Consider ability to implement campaign specific opt outs
• Opt out cannot be form-specific (i.e., cannot opt out of telephone campaigns but not mail campaigns)
• Consider need for translation to other languages
Fundraising – Effects of An Opt Out
• An “opt out” is treated as a revocation of authorization to use or disclose the individual’s PHI for fundraising purposes
– Prior standard was “reasonable efforts” to honor opt outs
• Need to have a reliable method of tracking opt outs
• Need to have a way for the Hospital and Foundation to regularly communicate regarding fundraising opt outs
• Can only resume fundraising communications if the individual affirmatively opts back in to receiving fundraising communications (i.e., opt out cannot automatically lapse after a given time period)
Fundraising – Disclosure to Business Associates
• Under the Final Rule, PHI may only be disclosed for fundraising purposes to a business associate or an institutionally-related foundation
• Business associate is defined as a person who, on behalf of the Hospital creates, receives, maintains, or transmits PHI
– Includes business associate subcontractors
• Institutionally-related foundations are not considered business associates
Fundraising – Business Associate Agreements
• The Hospital must have a valid Business Associate Agreement (BAA) in place before disclosing PHI to a business associate for fundraising purposes
• If subcontractors are used, the Hospital is not required to have a direct BAA with the subcontractor – this is the primary business associate’s obligation
• Both BAAs and subcontractor BAAs must be in writing
Fundraising - Business Associate Liability
• Business associates (and subcontractors) are now directly liable for compliance with HIPAA Privacy and Security Rules
• Violations can result in civil and criminal penalties being imposed on the business associate
• Hospitals may remain liable for business associate’s actions per federal common rule of agency
• Institutionally-related foundation liability not addressed
– Generally considered part of the Hospital for purposes of HIPAA compliance
Fundraising - BAA Timelines for Compliance
• BAAs must comply with Final Rule by September 23, 2013
• Compliant BAAs in place prior to January 25, 2013 will be grandfathered until September 22, 2014 or until agreement is renewed or modified, whichever comes earlier
– “evergreen” agreements remain eligible for grandfathering
Other Key Changes
Under the Final Rule
2013 Final Rule Key Changes
• Marketing/Sale of PHI
• Research Authorizations
• Individual Rights to Access and Request Restrictions
• Decedents/Immunizations/Genetic Information
• Notice of Privacy Practices
• Breach Notification
5
Breach Notification – Definition of “Breach”
• “Breach” under original Interim Final Rule:
– Acquisition, access, use, or disclosure of unsecured PHI not permitted by the Privacy Rule and poses significant risk of financial, reputational, or other harm to the individual based on risk assessment
• “Breach” under new Final Rule:
– Acquisition, access, use, or disclosure of unsecured PHI not permitted by the Privacy Rule unless there is low probability the PHI has been compromised based on risk assessment
– In other words, a Breach is presumed unless demonstrated otherwise
Breach Notification – Exclusions
• Excluded from the definition of a “Breach”:
– Within Scope of Authority
– Inadvertent Disclosure
– Unable to Retain
• Encryption still considered a “safe harbor”
• Limited data sets
– Subject to risk assessment
Breach Notification – Risk Assessment
• Final Rule identifies four factors to consider:
1. Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification
2. Unauthorized person who used PHI or to whom disclosure was made
3. Whether PHI was actually acquired or viewed
4. Extent to which risk to PHI has been mitigated
• Assess and document the four factors noted above and all other relevant factors
Breach Notification - Timing
• Required notifications must be made without unreasonable delay, but in no case later than 60 days after discovering the breach
• Breaches of unsecured PHI are treated as discovered as of the first day on which an employee, officer or other agent of the Hospital knew, or should reasonably have known, that a breach occurred
Breach Notification - Methods
• Methods of breach notification remain the same
– Patients
– Media (>500 affected individuals)
– HHS/OCR
• March 1st deadline for reporting to HHS all small breaches (<500 affected individuals) that occur during prior calendar year
• Still need to comply with state law obligations
Compliance Strategies and Next Steps
• Hospitals must review and update NPPs
• Consider opt out methods allowed by Hospital policy or NPPs
• Develop process for tracking opt outs and regular communication with Hospital
– Track source of information (Hospital PHI, patient request, commercial list)
– Be aware of perception that source of information is protected
• Consider need for and/or revise BAAs or Subcontractor BAAs
– Make a list of all business associates and subcontractors
• Update policies – don’t forget about security policies
– Make sure consistent with practices, especially if following Hospital policies
• Train workforce members or participate in Hospital training
Fundraising – General Rule
• General Rule: If there is an opportunity to make a donation, it is fundraising
– Newsletters – including fundraising appeals
– Sponsored events with fundraising component
– Events with active fundraising
Leia C. Olsen, Esq. 414.271.0466 [email protected]
QUESTIONS?
Monica C. Hocum, Esq. 414.721.0454 [email protected]
HEALTH LAW IS OUR BUSINESS.
