Implementation Business Associates and Breach Notification

(1)

HIPAA CHANGES—UNDERSTANDING & IMPLEMENTING THE LATEST RULE

Implementation – Business

Associates and Breach

Notification

Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com

Clay J. Countryman, Esq., Clay.Countryman@bswllp.com

(2)

Focus of Presentation:

Implementation

 Breach Notification – Duty to notify, risk assessments, and corrective action  Business Associate Agreements  Monitoring of Business Associates and Subcontractors

(3)

HIPAA Omnibus Final Rule:

Important Dates

 Published in Federal Register – January 25, 2013

 Effective Date – March 26, 2013

 Compliance Date – September 23, 2013  Conform Business Associate Agreements

(4)

OCR: Largest Breaches in 2012

 Hacking network server - 780,000 individuals affected  Backup tapes stored at hospital cannot be found and

are presumed lost - 315,000 affected

 Unencrypted emails sent to employee’s unsecured email address - 228,435 affected

 Theft of laptop from employee’s vehicle - 116,506  Unauthorized access to ePHI stored in database

-105,646

 Hacking database stored on network server – 70,000 affected

(5)

Breach Notification:

Implementation

 OCR: “We expect risk assessments to be thorough,

completed in good faith, and for the conclusions

reached to be reasonable.”

 A risk assessment is required for both impermissible uses and disclosures

 “Uses or disclosures that impermissibly involve more than the minimum necessary may constitute a breach.”

(6)

Modification to the Breach Notification

Rule: Notification to Individuals

Important Clarifications include:

 A Covered Entity that is acting as a Business Associate

should respond to a breach as a Business Associate.

 The obligation to disclose will rest with the Covered Entity

whose PHI is compromised.

 Alternative Notice: Notice has not been given if a written

notice is returned as undeliverable.

 CEs responding to a breach with more than 10 notifications

returned as undeliverable may take some reasonable time to search for correct, current addresses, but must provide

substitute notice “as soon as reasonably possible” and within the original 60-day time frame for notifications.

(7)

Breach Notification

Rule: Notification to the Media

 HHS clarified several points regarding media notifications, including:

 Covered entities are not obligated to incur the cost of any media broadcast regarding the breach in question.

 Media outlets are not obligated to publicize each and every breach notice they receive (and a failure to publicize does not render the notice provided insufficient).

 CEs must deliver a press release directly to the media

outlet being notified. Posting a general press release on a website is insufficient.

(8)

Breach Notification: Implementation

 Revise breach response policies/practices to expressly

include at least the four risk assessment factors

 Thoroughly document risk assessment, especially an

assessment finding a “low probability” that PHI was compromised

 Review vendor assessment practices and tools mindful of

heightened risk that an unauthorized disclosure is a breach

 Do not forget that state breach notification laws often have

different breach definitions and requirements

 Be mindful that “60 days” is an outer limit”

(9)

Breach Notification – Burden of

Proof

 If a risk assessment is not performed, the

default is notification of the breach

 Burden of demonstrating low probability that PHI is compromised is on the CE/BA  Decision not to notify must be

(10)

Breach Notification:

Obligations

 CEs must notify individuals (although can

delegate this to BAs)  BAs must notify CEs

 Subcontractors must be obligated to notify their contracting partner so the

(11)

Breach Notification – Examples of

Risk Analysis Criteria

 Likelihood of identification or re-identification:

 A list of patient names – not low probability

 Patient discharge data, patient not specified – can patients be reidentified?

 Who is the unauthorized recipient:

 A HIPAA covered entity – low probability, as long as you have evidence the risk has been mitigated

 An employer – may be able to use personnel records to re-identify

 PHI actually acquired or viewed:

 Untampered with laptop – low probability

 Information mailed to wrong person – not low probability 

(12)

(13)

(14)

(15)

Business Associate Agreements

 The contract between a CE and BA must provide that the BA will:

 Comply with the HIPAA Privacy and Security Rule

 Report to the CE any security incident of which it becomes aware, including breaches of unsecured PHI as required by §164.410

 Ensure that any subcontractors who create,

(16)

Business Associate Subcontractor

Agreement

 BAs must enter into a proper downstream BAA with any subcontractors

 Same requirements as between the CE and BA – Subcontractors are subject to limits in the initial CE/BA Agreement

(17)

BA Agreement Transition

 The Compliance Date for Business

Associate Agreements to be compliant with the Final Rule is September 23, 2013.

 BUT, if CE and BA, prior to the January 25, 2013 (Publication date of Omnibus Rule), had a current BAA, the time period is

extended to the earlier of:

 the renewal date of the BA Agreement, or  September 22, 2014.

(18)

BA Agreement Transition Renewals

 If BAA drafted prior to January 25, 2013 is renewed or modified during the period

between March 23, 2013 and September 23, 2013, it will not qualify for the full transition period and must be compliant by September 23, 2013

 BUT, if a BAA is subject to automatic or

“evergreen” renewal, it will qualify for the full transition period

(19)

Okay let’s make this simple.

Did you have a BAA before January 25? No.

(20)

Okay let’s make this simple.

 Did you have a BAA before January 25? Yes.

 Is it up for non-automatic renewal

between March 23 and September 23, 2013?

Yes.

(21)

Okay let’s make this simple.

 Did you have a BAA before January 25? Yes.

 Is it up for non-automatic renewal between March 23 and September 23, 2013?

No.

(22)

Okay let’s make this simple.

 Do you have a BAA that is compliant with the regulations in the Omnibus Rule?

(23)

Questions?

Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com

Clay J. Countryman, Esq., Clay.Countryman@bswllp.com