Professional Business Management, Inc.

WEBINAR SERIES

Professional Business Management, Inc.

James Pekarek, MBA Management Consultant

jpekarek@pbminc.net (847) 382-3206

WHAT YOU NEED TO KNOW TO PROTECT YOUR PRACTICE

Presented byMary Kay Scott, J.D.Brenner, Monroe, Scott & Anderson, Ltd.33 North Dearborn, Ste. 300Chicago, IL 60602(312)781-1970

Kathleen KonstantelosMIS Computer Corp.1038 North Ashland AveChicago, IL 60622(773) 772-2373

MODIFICATIONS TO HIPAA PRIVACY, SECURITY, ENFORCEMENT AND BREACH NOTIFICATION RULES

Mary Kay Scott, J.D.

Mary Kay Scott attended the University of Illinois and graduated with an undergraduate Bachelor of Arts degree in Liberal Arts and Sciences in 1981. She then attended the University of Illinois Law School graduating with a Juris Doctor in 1984. She has been in the private practice of law in Chicago, IL, and the surrounding collar counties since 1984. She is licensed in Illinois, the Northern District of Illinois Federal Court, and the Northern District of Indiana Federal Court. Mary Kay is a member of the Defense Research Institute, and the Society of Trial Lawyers. She has an active trial practice.

Biography cont’d

Ms. Scott has been an active litigator in the area of medical negligence for all of her almost 30 years of practice. Her practice is in the area of defense. She has represented physicians and their corporations, nurse practitioners, nurse mid-wives, and CRNA’s throughout that time. She was named to Chicago’s Top Rated Lawyers 2012, and 2013 in Medical Malpractice. Additionally she is AV rated by Martindale-Hubbell consecutively over ten years, since 1999. She has also represented companies and individuals in defense of general negligence claims.

Ms. Scott is a frequent speaker on legal issues. She is active in her community and was appointed to the Zoning and Planning Commission of Kildeer, IL, and has been a member since 2009.

Ms. Scott is a name partner, Vice-President, and Managing Shareholder for her firm, Brenner, Monroe, Scott & Anderson, Ltd. Her detailed information is available at the firm website at Brenner, Monroe, Scott & Anderson Ltd., www.brennerlawfirm.com.

Kathleen KonstantelosKathleen Konstantelos, Director of Provider Integration, has been with MIS Computer Corporation for 15 years and leads several teams offering multiple healthcare services. Over the years she has partnered with hospitals and consortiums to onboard their affiliated community for a sponsored EMR program. She understands the process and pain points of the transition from paper charts to an EMR, while keeping an eye on security and all stakeholders concerns. Over the years Kathleen has gained not only the understanding of practices’ workflow but how security can easily become compromised.

About MIS MIS Computer has been in business for over 30 years as an IT reseller and offering managed services. While our foundation was based on working with large enterprise customers, we have brought our knowledge to healthcare to support physician offices of all sizes and interests. MIS Computer is a member of HIMSS and the Illinois MGMA. Our technicians are HIT certified and trained by CHITREC for Security Risk Assessments.

Healthcare Services EMR Implementations Managed Services (Monitoring and IT Support) Security Risk Assessments HeadsUp – Fast Secure Access

For more information, please visit: healthcare.miscomputer.com

Disclaimer

The information in this presentation is for general informational and educational purposes and should not be considered to replace qualified legal representation, and or an audit performed by a reputable company in the area of electronic medical records and HIPAA requirements. Nothing in the presentation should be considered to apply directly to any specific potential breach, nor to any specific patient situation. Further this presentation is based on current Federal law, and is subject to change.

Much thanks are given to Austin C. Monroe for assistance in the preparation of the materials. Sources include 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, the American Medical Association, Department of Health and Human Services and the case law cited.

Privacy for your patients

What do you need to do to comply?

NOTICE OF PRIVACY PRACTICES

Physicians must prepare new notice of privacy compliance documents for posting in the office and presentation to patients on request to show that the physician and practice are compliant

with the new rule.

What are the new Privacy and Security Rules?

Breach Notification RequirementsWhat are they, and how does Practice need to react to a Breach?

First and Foremost, Breaches are now presumed reportable

UNLESS after completing a risk analysis involving FOUR

FACTORS, it is determined there is a “Low Probability of PHI

compromise”.

FOUR FACTORS

The nature and extent of

the PHI involved –

sensitivity of information financial vs. clinical, and

likelihood the information can be re-identified.

The person who obtained, and does that person have

an independent obligation to protect the

confidentiality i.e. BA’s.

Whether the PHI was actually

acquired or accessed

after forensic analysis.

The extent to which the risk

has been mitigated, such as a

signed confidentiality agreement by the recipient.

Therefore, there is a rebuttable presumption of breach, which is less subjective than the old standard of

“significant risk of financial, reputational or other harm” analysis.

No need for independent entity to conduct the risk assessment, though it certainly is not prohibited to have

an independent risk assessment, and it may be preferable to do so.

BA’s with new privacy agreements may be the one to notify the patient, no requirement for multiple breach notifications, and coordination is

recommended with BA.

Important DatesBy September 23, 2013, practitioners and hospitals were to comply with the HIPAA Omnibus final rule. However, Physicians have until September 23, 2014, to bring all the Business Associate (BA) agreements into compliance with the new rules.

If you are not compliant with the entire rule by now, it is important to do so, and to make sure BA’s are compliant as well!

BA agreements that have not been renewed or modified between March 26, 2013 and September 23, 2013, will be deemed compliant until September 22, 2014.

o There is no change in actual reporting and timeframe requirements, for Breach Notification, and individual notification.

o HHS Notification and media posting of breach must still occur, with the exception of BA’s being allowed to notify, as noted above.

Disclosures to health plans: Separate tracking of

patient self-payments must be instituted, and a physician may not disclose information about care the patient has paid for out-of-pocket to health plans, unless for treatment purposes, or the rare event in which disclosure is required by law.

The patient may request the physician to not disclose their PHI to a health plan if payment is out of pocket. It is imperative to adhere to this patient request and to document and follow-up to ensure that staff does not make a disclosure.

Marketing, Do’s and Don’ts

When may a physician provide marketing to a patient i.e., tell a patient about a third parties product or service without written authorization:

o Physician receives no compensation.o Face to face with the patient.o The communication involves a drug or biological the

patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication i.e., no profit.

o The communication involves a general health promotion, rather than specific product or service.

o The communication involves government or government sponsored programs. Promotional (nominal) gifts such as pamphlets may be given by a physician.

Sale of PHI clarifies that the prohibition on the sale of PHI in the absence of patient’s written authorization extends to licenses or lease agreements, and to receipt of financial or in kind benefits. It includes research if there is any profit margin to the physician.

Decedents - there is no HIPAA protection after a patient is dead for 50 years! Otherwise to family of the deceased in same manner as during the patient’s life, i.e., the person was

receiving the information while deceased was alive.

Childhood immunizations may be disclosed to schools if required for

admission of the student, as long as the legal representative has given “informal agreement” and this is

documented.

Electronic or E-PHI

o Physician to respond in only 30 days with one 30 day extension. Physician will reproduce if able to do so in EHR, or another mutually agreeable electronic format. Hard copies only when patient rejects all electronic formats.

o Records may be emailed, but requesting individual needs to be advised of the risk, and still request that form of transmittal.

o There are rules for charges, assuming state law does not set lower reimbursement. Separate charge for affidavit of completeness is allowed by the physician.

Notice of Privacy PracticesAll the above need to be added to the NPP in use, and if on the website need to be added there as well.

A sample NPP from the American Medical Association website is attached.

*attached in Exhibits section

ENFORCEMENT AND PENALTIESFour Penalty Tiers

Intermediate tierCases in which the physician “knew, or by exercising reasonable diligence would have known” of the violation, but the physician did not act with willful neglect Each Violation $1000-$50,000 Cap $1.5 million.

Highest tiersCases in which the physician ‘acted with willful neglect” and either corrected the problem within the 30 day cure prior, or failed to make a timely correction. Each Violation $50,000 Cap $1.5 million.

HHS must conduct a formal investigation and impose civil monetary penalties in cases involving willful neglect, and is free to provide PHI to other government agencies in order for those agencies to enforce.

Factors for Assessment of Penalties:

o Nature and extent of the violation, including the number of effected individuals

o The nature and extent of the harm resulting from the violation, including reputational harm

o The history and extent of prior complianceo The financial condition of the covered entity or business associate; ando Such other matters as justice may require.

The number of violations may be based on the number of individuals affected or by the number of days of non-compliance. The 30 day cure period begins with the physician knew or should have known of the violation.

As you can see above, the damages can be up to $1.5 million.

The office for Civil Rights will be in charge of enforcement of the new HIPAA Omnibus Rule

Note there is no private cause of action for an individual based on HIPPA.

IS THERE A CLAIM THAT INDIVIDUALS MAY MAKE AGAINST A PHYSICIAN UNDER HIPAA?

University of Colorado Hospital v. Denver Publishing Co., 3240 F. Sipp.2d 1142, 1145 (D.Colo.2004) (finding HIPPA precludes “implication of a private right of action” and citing other deferral decisions finding no private right of action under HIPPA); Doe v. Board of trustees of University of Illinois, 429 F. Supp.2d 930, 944 (N.D.Ill.2006) (“[e]very court to have considered the issue***has concluded that HIPPA does not authorize a private right of action”); see also Gonzaga University v. Doe, 536 U.S. 273, 284, 122 S. Ct. 2268, 2275-76, 153 L.Ed.2d 309, 321-22 (2002) (“a plaintiff suing under an implied right of action must still show that the statute manifests an intent “to create not just a private right, but a private remedy’”) (emphasis in original), quoting Alexander v. Sandoval, 532 U.S. 275, 286, 121 S. Ct. 1511, 1519, 149 L.Ed.2d 517, 528 (2001).

LITIGATION, HOW MAY IT OCCUR IF THE GOVERNMENT ENFORCES AND HAS THE ABILITY TO FINE FOR BREACHES? No direct action under HIPAA is allowed for, nor does

one exist. However, there is still in Illinois a potential common law right of privacy, which may be breached by actions violating the safeguards inherent in HIPAA. Such a breach of confidential information may lead to a potential for a claim for negligent or intentional infliction of emotional distress and damages. Bagent v Blessing Care Corp,. 224 Ill. 2d 154 (2007).

There is no reason to believe that the rationale in this case differs under the newly enacted changes.

OCR Audit Protocol |Kathleen KonstantelosMIS Computer Corp.

Gather Information

Review & Understand

Develop & Deploy

Review Annually

• Formal or Informal Policies

• Hardware and Infrastructure Security

• Perform Vulnerability Testing

• Third Party Security

Top Vulnerabilities

Lack of Security & Written Procedures

Identification of a Security Official

Infrastructure Updates

IT HIPAA Considerations •As of April 8, 2014 any computer running Windows XP is HIPAA violation.

Microsoft Windows XP

•“Home” operating systems do not comply with the safeguards required by HIPAA.

Microsoft Windows “Home”

•Do not store any data on a personal computer that may not be secure.Data Storage

•Any cloud provider should sign a Business Associate Agreement, as those vendors must also protect the data.Cloud

4Medapproved’s HIT Security Column

Exhibits:http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

MODIFICACTIONS TO HIPAA PRIVACY, SECURITY, ENFORCEMENT AND BREACH NOTIFICATION RULES

Presented byMary Kay Scott, J.D.Brenner, Monroe, Scott & Anderson Ltd.33 North Dearborn, Ste. 300Chicago, IL 60602(312)781-1970 p(312)781-9202 f

Kathleen KonstantelosMIS Computer Corp.1038 North Ashland AveChicago, IL 60622(773) 772-2373KK@miscomputer.com