DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY - - PDF document

1 DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions apply to three types of entities, which are known as ‘‘covered entities’’: (1) health care providers who conduct covered health care transactions electronically, (2) health plans, and (3) health care clearinghouses. The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164, requires covered entities to (1) implement safeguards to ensure that the privacy of protected health information is maintained, (2) provides the parameters under which covered entities may use or disclose an individual’s protected health information (“PHI”), and (3) notify individuals of their rights to examine and obtain a copy of their health records and to request corrections. Covered entities that engage “business associates” to perform functions/work on their behalf must have contracts or other data sharing arrangements in place with their business associates to ensure that the business associates safeguard PHI, and use and disclose the information only as permitted or required by the Privacy Rule. II. HITECH ACT: The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted in 2009 is designed to promote the widespread adoption and integration of health information technology. It includes provisions designed to strengthen the privacy and security protections for health information established by HIPAA. These provisions include:  extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities;  requiring that Health Information Exchange Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities, shall be treated as business associates;  requiring HIPAA covered entities and business associates to provide for notification of breaches of ‘‘unsecured” PHI;  establishing new limitations on the use and disclosure of PHI;  prohibiting the sale of PHI; and  expanding individuals’ rights to access their PHI, and to obtain restrictions on certain disclosures of PHI to health plans. In addition, its provisions are designed to strengthen and expand HIPAA’s enforcement provisions. III. OMNIBUS RULE: On January 25, 2013 the Department of Health and Human Services (HHS) issued the final changes to the Privacy Rule. (See, 78 Fed. Reg. 5566, et. seq.) This constituted the adoption of

2 the “final” privacy, security and breach notification provisions of HIPAA, HITECH and the Genetic Information Nondiscrimination Act (GINA). As of the 23rd of September 2013, this rule is in full effect and other than certain “grandfathered” agreements, all covered entities and their business associates fall under its provisions.  The Final Privacy Rule makes business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.  It strengthens the limitations on the use and disclosure of PHI and prohibits the sale of PHI without individual authorization.  It expands individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.  It requires modifications to, and redistribution of, a covered entity’s notice of privacy practices.  It modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.  It also adopts additional HITECH enhancements to the Enforcement Rule like the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.  The Omnibus Rule also incorporates the increased and tiered civil money penalty structure provided by the HITECH Act, and replaces the breach notification rule’s “harm” threshold in an attempt to provide a more objective standard.  Finally, it prohibits most health plans from using or disclosing genetic information for underwriting purposes.

• A. Business Associates

HIPAA permits a covered entity to disclose PHI to a business associate, and allow a business associate to create, receive, maintain, or transmit PHI on its behalf, provided the covered entity

• btains satisfactory assurances in the form of a contract or other arrangement that the business

associate will appropriately safeguard the information. ‘‘Business associate’’ is defined to include a person/entity who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. Such entities include, inter alia, billing companies, electronic records management companies, Patient Safety Organizations, Health Information Organizations (HIO), E-Prescribing Gateways, other entities that provide data transmission services with respect to protected health information to a covered entity whose activities require routine access to such protected health information; and entities who offer a personal health record to one or more individuals on behalf of a covered entity. The definitions

• f HIO and “routine access” are purposefully vague. The former is seen as an evolving one

based on practice and technology, and the latter is to be determined on a case-by-case basis. Accordingly, an entity that acts as a conduit for PHI, but does sample the data for integrity purposes may, or may not be a business associate, depending on its relationship to covered entities, how often in accesses the PHI and what its responsibility for maintaining the data may

• be. However, both the guidance and prudence suggest that the “conduit” exception is a narrow
• ne designed for internet service providers and the like. An entity that maintains a covered

3 entities data base, for example, but does not access PHI in performing this task is still a business associate and not a conduit. To avoid having HIPAA’s protections for PHI lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity, a subcontractor that acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate, including an agent or other person who acts

• n behalf of the business associate, is also a business associate; even if the business associate has

failed to enter into a business associate contract with the person/entity. As such the subcontractor must comply with the Privacy Rule. In other words, the analysis is the same for the business associate and its subcontractor(s). This does not mean that a covered entity has to have a contract with a business associate’s subcontractor(s). The obligation is on each business associate (sub or direct) to obtain satisfactory assurances in the form of a written contract or

• ther arrangement that its subcontractor will appropriately safeguard PHI. Thus the

requirements of HIPAA are “pushed down the chain” along with the PHI. The Privacy Rule provides that disclosures by a business associate for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the PHI because such disclosures are made outside of the entity’s role as a business

• associate. However, for such disclosures that are not required by law, the Privacy Rule requires

that the business associate obtain “reasonable assurances” from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies the business associate of any instances of which it is aware that the confidentiality of the information has been breached. The determination of when the disclosure of PHI by the business associate to a person who will assist the business associate in performing a function, activity, or service for a covered entity or another business associate creates a business associate relationship verses being solely for its own management is to be made on a case-by-case basis.

• a. Internal Business Associates – N.Y.C. HRA as an example of a Hybrid Entity

The Omnibus Rule promotes a shift toward direct liability for business associates of covered entities in the event of an unauthorized disclosure or breach of protected health information and synchronizes rules for both internal and external business associates. Internal business associates are components of a hybrid entity and perform business associate, rather than covered, functions. HRA is a hybrid entity because it is “a covered entity; [w]hose business activities include both covered and non-covered functions; and… designates health care components in accordance with [HIPAA regulations].” The old rule allowed hybrid entities to subject only their healthcare components to HIPAA regulations while cordoning internal business associate functions. The new rule removes this flexibility by providing that “if the covered entity designates one or more health care components, it must include any component that would meet the definition of a covered entity or business associate if it were a separate legal entity….” 45 C.F.R. § 164.105(iii)(D). There is some ambiguity regarding the extent of the changes. Some scholars argue that the new regulation does not require a covered entity’s business associate function areas to comply with

4 HIPAA (“[A] covered entity as a whole does not have to comply with HIPAA…”) (http://www.americanbar.org/content/newsletter/publications/aba_health_esource_home/aba_hea lth_law_esource_1305_bernstein.html). However, under the new rule, some program areas that were previously considered non-covered components will now fall under the healthcare component umbrella. Therefore, those program areas are now subject to HIPAA regulations because the healthcare component is subject to HIPAA rules. For example, “[consider] an entity that is both a hospital and university, any Business Associate function being performed by the non-health care component (e.g., the university’s legal offices) would now be subject to direct compliance as if it were within the health component of the hospital department of the entity.” (http://www.bsk.com/media-center/2547-health-care-hitech-omnibus-hipaa-final-rule---glimpse- at-some-changes--). This falls into line with the drafter’s intended to promulgate liability to internal business associates of healthcare components with which they share protected health information. [A]fter this final rule, business associates, by definition, are separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate

• contracts. With respect to a hybrid entity, however, not including business

associate functions within the health care component of a hybrid entity could avoid direct liability and compliance obligations for the business associate

• component. Thus, we agree with the commentators that supported requiring

inclusion of business associate functions inside the health care component of a hybrid entity. As such, the final rule requires that the health care component of a hybrid entity include all business associate functions within the entity. 78 Fed. Reg. 5566, 5588. To be in compliance with the new provision, all program areas utilizing protected health information from HRA’s healthcare component, must comply with HIPAA regulations regarding business associate arrangements, and organizational requirements. 45 C.F.R. § 164.105(iii). Furthermore, HRA has revisited documentation regarding its healthcare component to see which program areas would qualify as business associates if they were separate legal entities. 45 C.F.R. § 164.105(iii)(D). These program areas have been notified of the new regulation and its implications. [HANDOUT: HIPAA MOU – Covered Entity and Business Associate Agencies]

• b. External Business Associates and Their Subcontractors

To conform with the new regulations, HRA must modify its business contracts to reflect the understanding that HRA business associates must comply with HIPAA regulations. HRA must have contracts that satisfactorily convey the business associate’s liability. Most significantly, these amendments to our business associate contracts and memoranda of understanding (for sister municipal entities) business associates of covered entities must make similar changes to their contracts with subcontractors

5

• c. Breach Notifications

The final Privacy Rule largely tracks the provisions of the Interim Breach Rule. There are, however, a few important changes to the breach notification rules and procedures that will affect covered entities. The final Privacy Rule clarifies the definition of a data breach, adopts a new standard for risk assessment concerning PHI disclosures, and alters the breach notification timeline for breaches involving less than 500 people. The definition of a “breach” has been amended by eliminating one of the exceptions recognized by the interim rule. Under the Interim Rule, an impermissible use or disclosure of PHI that would qualify as a limited data set, but that excludes dates of birth and zip codes, is not a breach. The final Privacy Rule does not recognize such an exception. See 45 C.F.R. § 164.402(1)(ii). Second, the final Privacy Rule replaces the “risk of harm” standard with a new obligation to assess whether PHI has been “compromised.” Under the Interim rule’s “risk of harm standard,” covered entities were required to conduct a risk assessment to determine whether there was a significant risk of harm due to impermissible use or disclosure. The final Privacy Rule, however, instead requires covered entities to assess the risk that the PHI was “compromised” if they want to avoid the notice requirements of the rule. While the term “compromised” is not defined, the HSS indicates that, when conducting an assessment, “the covered entity must consider at least the following factors:

• 1. The nature and extent of the PHI;
• 2. The unauthorized person who used or received the PHI;
• 3. Whether the PHI was actually viewed or acquired; and
• 4. The extent to which the risk to the PHI has been mitigated.

The covered entity or business associate has the burden of proving a disclosure was not a breach, and must treat an incident as a breach unless, it determines that there is a low probability the PHI was compromised. While the standard is different, it is unclear if this new standard will result in material differences in the response to a breach and the determination regarding notification in most circumstances. These provisions incentivize covered entities and business associates to encrypt the limited data sets and other PHI, since PHI, if encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742), no breach notification is required following an impermissible use or disclosure of the information. Finally, breach notification procedures under the final Privacy Rule are largely the same, with

• ne notable change. The covered entity still has the ultimate duty, although potentially

assignable to another business associate, to notify affected individuals of the breach pursuant to 45 C.F.R. § 164.404. [HANDOUT: Example of a Breach Notification Letter]

6 Recently HRA had a data security incident in which a list of with 24 names and Social Security numbers of Medicaid clients were lost. A legal determination was made that a data breach

• ccurred and a letter was sent by HRA to notify these individuals.

In addition, the covered entity must follow the same procedures for media notification for breaches involving 500 or more individuals. See 45 C.F.R. § 164.408(b). However, for breaches involving fewer than 500 individuals, the final Privacy Rule modifies 45 C.F.R. § 164.408(c) so that covered entities must notify the Secretary of all breaches not later than 60 days after the end

• f the calendar year in which the breaches were discovered, not in which the breaches occurred.
• d. Accounting for Disclosures

The final Privacy Rule does not address the accounting for disclosures requirement the 2009 HITECH Act; rather, the Office of Civil Rights has advised that it will be the subject of a future

• rulemaking. The new rulemaking, however, “shall only require such information to be collected

through an electronic health record in a manner that takes into account the interests of the individuals in learning the circumstances under which their [PHI] is being disclosed and takes into account the administrative burden of accounting for such disclosures.” (HITECH, 13405(c)(2)). Consequently, this discussion will focus on the requirements of the HITECH Act. While there have been proposals for changes in the regulations, covered entities must focus most

• n both recordkeeping and reporting practices in order to fully comply with the HITECH Act.

It is important to note that, while the 2009 HITECH Act modifies the HIPAA rules, it is relatively narrow in scope. Specifically, the legislation addresses covered entities that use or maintain an electronic health record, and makes no mention of paper records. See 42 U.S.C. § 17935(c)(1). Any relevance the act has to paper records is not discussed. Despite the narrowness of the legislation’s applicability, there are three main changes with regards to

• recordkeeping. First, covered entities must now be able to provide an individual with a record of

disclosures that goes back three (3) years instead of six (6). See 42 U.S.C. § 17935(c)(1)(B). Second, the rule eliminates the exception that allowed entities to not record disclosures for purposes of treatment, payment, and healthcare operations. See 42 U.S.C. § 17935(c)(1)(A). Finally, the final rule now requires business associates to maintain records the same way that covered entities are required to. See 42 U.S.C. § 17935(c)(3)(B). Naturally, reporting requirements under the new rule are consistent with the revised time period during which an individual has the right to view all disclosures of their electronic PHI. In addition, a covered entity must either provide an accounting of disclosures made by the covered entity and by a business associate acting on behalf of the covered entity (see 42 U.S.C. § 17935(c)(3)(A)), or provide list of disclosures made by covered entity in addition to a list of business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone number, and email address). See 42 U.S.C. § 17935(c)(3)(B). Finally, the final rule establishes a timetable for compliance. If a covered entity receives an electronic health record as of January 1, 2009, the final rule applies to the covered entity that made electronic record on or after January 1, 2014 (see 42 U.S.C. § 17935(c)(4)(A)); and if covered entity receives electronic health record after January 1, 2009, then rule applies to that entity on or after January 1, 2011, whichever date comes first. See 42 U.S.C. §

7 17935(c)(4)(B). The date in subsection (c)(4)(A) can be amended to no later than 2016, and the date in subsection (c)(4)(B) can be amended to no later than 2013. See 42 U.S.C. § 17935(c)(4)(C). IV. BREACH PREVENTION

• A. Examples of HIPPAA Breaches That Would Trigger Notification

[HANDOUT: Data Security Incident Protocol: What to do in the Event of an Unauthorized Disclosure and Breach Prevention Measures] [HANDOUT: PACU-OLA Data Security Incident Form]