Impact of HIPAA Changes – Are YouAre You Prepared? Webcast Slide … · • Omnibus Update with impacts and actions to your organization ... marketingg(py), research and disclosure

Welcome to the Healthcare & Life Sciences Institute Webcast

Impact of HIPAA Changes Are YouChanges – Are You Prepared?

Monday, March 25, 2013 2:00 – 3:00 p.m. ETHelp Desk Hotline: 1-877-398-1471(Outside the U.S.: +1-954-969-3342)

Administrative

Today’s Presentation – Go to “Supporting Materials” link on screen: Download a copy of today’s presentation in color or black & white

CPE regulations require that online participants take part in online questions Must respond to a minimum of 4 questions per 50 minutes

Polling questions will appear on your media player

Results will be reviewed in the aggregate; no responses will be tracked back to any individual or organizationto a y d dua o o ga at o

Do not view the presentation on slide show mode – polling questions will not appear

To ask a question use the “Ask A Question” icon on your media playerTo ask a question, use the “Ask A Question” icon on your media player –type question – click “submit”Help Desk: 1-877-398-1471 or outside the United States at1-954-969-3342

© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 160179_NSS

1

1-954-969-3342

With Us Today

Michael EbertPartner KPMG LLP

Jutta Williams, Director, Corporate Compliance Privacy OfficeKPMG LLPIntermountain Healthcare


2

Today’s Discussion

• Where we are today

• HIPAA Privacy, Security and Breach Notification

• Omnibus Update with impacts and actions to your organization

• A year of OCR Compliance Audits – Lessons Learned & Impacts these lessons have on compliance to HIPAA and the Omnibus provisionslessons have on compliance to HIPAA and the Omnibus provisions

• Industry View – Intermountain Healthcare dealing with HIPAA and the Omnibus

• Summary

• Action Steps

• Q&A


3

Summary – Where We Are To Date / How We Got There

HIPAA Privacy and Security rolls out starting in 1998 over an 8 year period and gains new teeth from 2009 to 2013. Immediate rush to compliance with little to no enforcement in the beginning Immediate rush to compliance with little to no enforcement in the beginning

Congress steps up heat on HHS on enforcement of privacy rights

Congress passes HiTech and fixes holes in HIPAA

Health and Human Services (HHS) responds by moving Security from CMS to Office for Civil Rights (OCR)

Breach Notification Rules are producedeac ot cat o u es a e p oduced

OCR Compliance Audit Program is rolled out

Omnibus rule updating HIPAA is published

Activities to date New Director of OCR with strong track record for enforcement

OCR with the power of the Breach Rule increases enforcement


4

OCR, with the power of the Breach Rule, increases enforcement

HIPAA Privacy, Security and Breach Notification

Omnibus Impacts

The Omnibus – Summary

Adds a great deal of complexity to Privacy Management

Renewed emphasis on your training programs

Understanding and applying all of the new opt-out and rights to restrict use of Protected Health Information (PHI) provisions for fund raising, marketing, research and disclosure of PHI to Health Plans (self pay).g ( p y)

Request for medical records by an individual in ANY form they choose, provided PHI is “readily producible” in that form.

Presumption by OCR that your existing systems and processes can support the above as well as other requirements for permitted uses and disclosures.

Multi-opt ins/outs will require a different presentation of your Notice of Privacy Practices (NPP), including a better effort of communication of individual rights to a patient.


6

The Omnibus – Summary – Business Associates

Business Associates (BA) Need to modify your BA agreements no later than Sept 2014, but you may want to put forth

the effort to move them all to an updated BAA by September 2013 (grandfathered).

Definition of BA changed: create, receive, maintain or transmit protected health information in the course of performing functions on behalf of a covered entity.

Business Associates need to comply with ALL of the Security Rule and use or disclosure limitations of the Privacy rule as well as extended requirements in the Breach Notificationlimitations of the Privacy rule as well as extended requirements in the Breach Notification Rule.

If a relationship is deemed to be an agency relationship, Covered Entities (CE) increases responsibility for BA and a Breach.

D t i k li bilit i d Down stream risk liability imposed

– Subcontractors of a BA are now defined as a BA

Third Party risk programs should be adopted by ALL CEs: must gain documented “satisfactory assurances ”satisfactory assurances.

Contracting with BA’s will be more complex as BA’s push to defined limitation of PHI exchange and true responsibility in the management of any elements of PHI.

De-identification or partial de-identification will be and should be a part of all BA di i


7

discussions.

Breach and Notifications

Eliminated the “harm threshold” “Significant risks of reputational, financial or other harm” is no longer the

measurement for breach reportingmeasurement for breach reporting

Now, impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless a covered entity can demonstrate a low risk of harm using a risk analysisharm using a risk analysis

The Risk analysis must now include:

– The nature and extent of PHI involved

– The unauthorized person who used the PHI or had access

– Whether PHI was actually acquired or viewed

– The extent risk has been mitigated

This is a much lower threshold and in fact OCR will consider any loss to be viewed thus increasing your responsibility to report breaches.


8

g y p y p

Activities and Enforcement

Enforcement Expectations – Complaint Investigation and Resolution

TOTAL (since 2003)

Complaints Filed

( )

77,200Cases Investigated 27,500Cases with Corrective Action

Civil Monetary Penalties &

18,600

(As of December 31, 2012)

yResolution Agreements (since 2008) $14.9 million


10

A Year of Audits: Lesson Learned

Preliminary Analysis From the Audits

• Policies and Procedures exist but are outdated or not implemented

• HIPAA compliance programs were not a priority

• Small providers have broad failures across the Rules

• Larger entities continue to have security challenges

• Entities are not conducting regular Risk Assessments

• Entities are not managing third party risks

• Privacy challenges are widely dispersed throughout the protocol – no clear trends by entity type or size


12

Overall Audit Results Analysis – Findings and Observations

• 64% of the selected audit protocol pertained to Privacy, 28% pertained to Security and 8% pertained to Breach Notification.

60% f th fi di d b ti i th dit d S it– 60% of the findings and observations were in the audited Security protocol

• Due to the specific activities of the covered entity not all of the p yPrivacy protocol in its entirety applied to all of the entities.

• No clear trends in the Privacy findings and observations; the challenges were wide-spreadchallenges were wide spread.

• Providers had more findings and observations than Health Plans and Clearinghouses.

• Details are on the subsequent slides…


13

Overall Audit Results Analysis – Findings and Observations

There are several overarching trends in the audit results noted in the 115 entities audited.

Th 979 dit fi di d b ti ll titi There were 979 audit findings and observations across all entities:

– 293 Privacy audit findings and observations;

592 Security audit findings and observations; and– 592 Security audit findings and observations; and,

– 94 Breach Notification audit findings and observations.

58 of 59 providers had at least one finding or observation in HIPAA 58 of 59 providers had at least one finding or observation in HIPAA Security.

47 of 59 providers, 20 out of 35 health plans and 2 out of 7 clearingho ses did not ha e a complete and acc rate risk assessmentclearinghouses did not have a complete and accurate risk assessment.


14

Overall Audit Results Analysis Cause Analysis –Unaware of the Requirement39% (115 of 293) of Privacy audit findings and observations the entities said they were39% (115 of 293) of Privacy audit findings and observations the entities said they were unaware of the requirement.

75% (86 of the 115) were on areas of the audit protocol where the performance criteria was derived directly from the HIPAA Privacy Rule.

Top Privacy areas with this cause:– Notice of Privacy Practices;– Access of Individuals;– Minimum Necessary; and,Minimum Necessary; and,– Authorizations.

27% (163 of 593) of Security audit findings and observations the entities said they were unaware of the requirement.

94% (153 of 163) were on areas of the audit protocol where the criteria was derived directly from the HIPAA Security Rule.

Top Security areas with this cause:– Risk Analysis;Risk Analysis;– Media movement and disposal; and,– Audit controls and monitoring.

12% (11) of the Breach Notification audit findings and observations. All 11 findings were f th dit t l h th it i d i d di tl f th B h


15

on areas of the audit protocol where the criteria was derived directly from the Breach Notification Rule.

HIPAA Privacy, Security and Breach Notification –Audit Findings and Observations

Audit Findings and Observations by Rule Audit Findings and Observations by LevelAudit Findings and Observations by Rule Audit Findings and Observations by Level

Audit Findings and Observations by Type of Covered Entity


16

HIPAA Privacy, Security and Breach Notification –Audit Findings and Observations

Audit Findings and Observations Distribution


17

Industry View on Dealingwith the Omnibus andHIPAA – IntermountainHIPAA – Intermountain Healthcare

Industry View – Intermountain

• Prior to delivery of the Omnibus Rule, Intermountain completed a review of HIPAA and HITECH privacy and security controls and engaged KPMG to perform a comprehensive risk assessment of both programs.

• The risk assessment evaluated current posture against industry leading practices.

• Given the clear focus on oversight and management of Business Associates in the proposed rule, Intermountain requested specific analysis of existing 3rd party data release processes.

• Post risk assessment, Intermountain identified two projects that would improve existing contract management practices and prepare us for the final rule.

• Lifecycle Management of Privacy Agreements

• Tiered Risk Management Approach for Attestation and Audit of BA compliance with HIPAA and HITECH


19

compliance with HIPAA and HITECH.


• In addition to BAA management projects, Intermountain identified a number of other projects based on the Omnibus rule and associated commentary:

• Accounting of Disclosures: • Exceptions for “Required by Law” were not granted as proposed, therefore improved

solutions for automated collection of State and Federal reporting disclosures will be implemented.

• Updates to and Redistribution of the Notice of Privacy Practices: • For health delivery notice: update breach notification language, update restriction

information, and modify appointment reminder and marketing opt-out language.

• For payer notice: add language restricting the use of genetic information and update breach notification language.breach notification language.

• Disclosure of PHI:• The final rule permits the disclosure of immunization information to schools with the

consent of the individual/personal representative. Updates may be needed to our t t d t b l t f l f i i ti d tcurrent processes to document verbal consents for release of immunization data.

• Update policies, procedures and forms with regard to restriction to payers, when requested by a patient, for services paid in full by patients.

• In accordance with Meaningful Use technical means for delivering of patient records


20

In accordance with Meaningful Use, technical means for delivering of patient records in a more timely manner has already been implemented; modify existing policies, procedures and education to reflect new delivery requirements under HIPAA.


• New Operational Requirements Continued:• Disclosure of PHI

• Sale of PHI provisions were more restrictive than anticipated. As part of lifecycle p p p ymanagement efforts, all data projects that include remuneration will need to document compliance with provisions. New policies, procedures and education will need to be delivered to workforce members conducting research and new methods for tracking costs will need to be established to prove remuneration was equal to cost of services delivered.

• Use of PHI

• Marketing provisions require updated policies, procedures and education for g p q p p , pworkforce members on communications related to 3rd party products with specific education for retail/specialty pharmacy and payer functions on changes to new reminder and refill communication allowances.

• The Final Rule expands the amount of PHI available for use in fundraising• The Final Rule expands the amount of PHI available for use in fundraising activities but also requires a CE to provide an individual with an opportunity to opt out of fundraising communications. To comply, we will update fundraising definitions in existing policies and procedures determine if opt out processes are sufficiently robust to meet the requirements of the rule


21

sufficiently robust to meet the requirements of the rule.


• New Operational Requirements Continued:• New Operational Requirements Continued:• Breach Assessment and Reporting

• Update policies, procedures and education to modify the definition of a “breach” to eliminate the risk of harm standard and add a legal presumption that any acquisition, access, use or g p p y q , ,disclosure of PHI in violation of the privacy rule is a breach.

• Refine breach notification assessment processes to evaluate new criteria in accordance with the “probability of compromise” standard. Update program effectiveness metrics and reporting to reflect this new assessment methodology.

• Research

• Re- interpretation of the existing rule now allows for future, unspecified research on data, which was previously disallowed under the interpretation that such future research was not clearly specified in an authorization.

• Research authorization must be updated to include description of remuneration for data projects, and calculation of the cost based fee for PHI to prove it is not represent a profit.

• Final Rule allows the combination of conditioned and unconditioned authorizations in the same document; develop new, simplified standard consent/authorization wording.; p , p g

• De-identification

• Policies, procedures and education for those engaged in 3rd party data uses and disclosures to explain November 2012 de-identification guidelines. Understanding of which is critical to meeting new BA Management Research and Sale of PHI provisions in the Omnibus rule


22

meeting new BA Management, Research and Sale of PHI provisions in the Omnibus rule.

Summary

• HIPAA is here to stay• Beyond the Omnibus, pay attention to emerging standards for

Healthcare privacy and securityHealthcare privacy and security• Meaningful Use Standards

• HIE requirementsq

• Federal Research Grants

• Business Associates: Invest in building a privacy and security program equal to your CE counterparts If you are an HIE or HIO youprogram equal to your CE counterparts. If you are an HIE or HIO, you are likely not exempt from these requirements.

• Covered Entities: Build an action plan and design implementation timelines in accordance with the September enforcement deadlinetimelines in accordance with the September enforcement deadline.

• BA agreements signed after January 25th need to reflect new requirements by March 25th or plan to renegotiate again prior to September 26th


23

September 26th.

Actions Steps – What You Should Be Doing

• Conduct a robust assessment with an annual reassessment for compliance

M /fl PHI t ithi i ti ll fl• Map/flow PHI movement within your organization, as well as flows to/from third parties

• Perform data discovery to find all of your PHIy y

• Establish effective technical safeguards over PHI (encryption, access management, restriction for required use only)

• Develop a third party risk management program

• Review vendor contracts and update BA agreements


24

KPMG Contacts

Michael D. [email protected]

Rich E. [email protected]

Jaime [email protected]

Mark M. [email protected]


25

Q&A

Thank You

© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks co p e ty a e eg ste ed t ade a s o t ade a sof KPMG International.

Documents

Impact of HIPAA Changes – Are YouAre You Prepared? Webcast Slide … · • Omnibus Update with impacts and actions to your organization ... marketingg(py), research and disclosure