This document summarizes the key changes brought about by the HITECH Omnibus Rule, which modifies HIPAA privacy and security regulations. Some major changes include expanding the definition of business associates, strengthening enforcement of violations including increased penalties, and requiring individual authorization for marketing and the sale of protected health information. The document also reviews new requirements around fundraising, research, and electronic access to health records.

1. © 2013© 2013
The HITECH Omnibus
Rule: A Review
Angela Dinh Rose, MHA, RHIA, CHPS, FAHIMA
Diana Warner, MS, RHIA, CHPS, FAHIMA

2. © 2013
Agenda
1. Discuss the regulatory changes brought
about by the final ARRA/HITECH Omnibus
Rule.
2. Review the new enforcement rules and
how OCR has already applied them.
3. Review impact of GINA to the HIPAA
ModificaJon Rule.
2

3. © 2013
3
3
ARRA/HITECH Review
• American Recovery and
Reinvestment Act
• Health InformaJon Technology for
Economic & Clinical Health
provisions

4. © 2013
4
4
ARRA/HITECH Review
• February 2009
• HIPAA markedly expanded and penalJes
sJffened under ARRA/HITECH
• Proposed Changes
– Privacy
– Security
– Enforcement

5. © 2013
Omnibus Rule
• Rule Published January 25, 2013
• EffecJve March 26, 2013
• Compliance September 23, 2013
• Compliance for small health plans will be
the same
5

6. © 2013
Security Changes
• Added “and business associates” with the
“covered enJJes”
• DefiniJon of “electronic media”
• Annual Review of Risk Assessments
6

7. © 2013
HIPAA Privacy ModificaGon
Overview
• Final:
– Business Associates
– Limited Data Set
– Deceased Individuals
– Childhood ImmunizaJons
– MarkeJng
– Fundraising
– Disclosure and Sale of Health InformaJon
– Research
– Requested RestricJons
– Electronic Access
– NoJce of Privacy PracJce
7

8. © 2013
What’s SGll Missing?
• AccounJng of Disclosures (AoD)
• Minimum necessary guidance
• DistribuJon of
penalJes/seblements
to harmed individuals
8

9. © 2013
What’s Not Missing?
• De‐idenJficaJon Guidance (32 pages)
– Posted November 26, 2012
– Reviews the standard itself and its raJonale
– Preparing for de‐idenJficaJon
– SaJsfying the Expert DeterminaJon Model
– SaJsfying the Safe Harbor Method
9

10. © 2013
Business Associates (BA)
• BA are incorporated into certain
privacy, security and enforcement
regulaJons
• Need for new agreements
• HIEOs, PHRs, and E‐prescribing
gateways, PSOs
• Subcontractors
10

11. © 2013
Decedents
• Involved in care or payment of the
deceased
• Not considered PHI if deceased for more
than 50 years
11

12. © 2013
Childhood ImmunizaGons
• CE may release proof of immunizaJon to a
school without having to obtain a wriben
authorizaJon
– CE must sJll obtain disclosure agreement (oral
or otherwise) from parent, guardian, or
individual
– Affected by State law
12

13. © 2013
MarkeGng
• Expands and defines what can be considered
markeJng and when an authorizaJon is
necessary
• Defines financial remuneraJon – which is
necessary to define some of the markeJng
situaJons and the selling of PHI
• Require individual authorizaJon before
markeJng communicaJon can be received
• Allow individual to opt‐out of receiving
markeJng communicaJons
• Provide statutory excepJon for prescripJon
refill reminders
13

14. © 2013
Fundraising
• Opportunity to opt out
• CE may not condiJon treatment or payment
on choice
• Adds categories of PHI
that may be used or
disclosed for fundraising:
– Department of service
– TreaJng physician
– Outcome informaJon
– Health insurance status
14

15. © 2013
Disclosure & Sale of PHI
• Does not permit a CE or BA to directly or
indirectly receive remuneraJon in exchange
for PHI of an individual unless covered by a
valid authorizaJon
– authorizaJon must specify whether the enJty
receiving the PHI can further exchange the
informaJon for remuneraJon
15

16. © 2013
Disclosure & Sale of PHI:
ExcepGons
• Public health data as defined in HIPAA
• Research data as defined in HIPAA
• When the purpose of the exchange is for:
• Treatment
• Health care operaJons
• RemuneraJon
• Providing an individual with a copy of the
individual’s PHI
• Otherwise determined by the Secretary in
regulaJons to be similarly necessary and
appropriate.
16

17. © 2013
Research
• Use of compound authorizaJons
• Authorizing future research
use or Disclosure
17

18. © 2013
RestricGons
• HIPAA’s right to request privacy
protecGons will remain
• AddiJonal restricJon requirement limited
to restricJng PHI disclosed for payment
and operaJons when service is paid out
of pocket in full
• 45 CFR 164.522(a) will sJll be needed to
cover all other restricJon requests
18

19. © 2013
Electronic Access to Designated
Record Set (DRS)
• CE’s that use or maintains an EHR with respect
to PHI of an individual, the individual shall
have a right to obtain from such CE a copy of
such informaJon in an electronic format.
• The individual has a right to direct the CE to
transmit a copy directly to another enJty or
person.
• The CE may not charge the individual any
more than its labor costs to respond to a
request for a copy of the record.
• In providing the individual with an electronic
copy of PHI the CE should ensure that
reasonable safeguards are in place.
19

20. © 2013
Update NoGce of Privacy PracGces
• Statements to include:
– uses and disclosures of:
• Psychotherapy notes (where appropriate)
• PHI for markeJng purposes
• Disclosures that consJtute a sale of PHI require an
authorizaJon
• not described in the NPP will be made only with
an authorizaJon from the individual
– fundraising communicaJons and an individual’s
right to opt out.
– (only applies to healthcare providers) right to
restrict certain disclosures of PHI to a health plan if
they pay for a service in full and out of pocket.
– individual’s right to be noJfied of a breach of
unsecured PHI in the event they are affected.
– (only applies to certain health plans) Limits on the
use of geneJc health informaJon
20

21. © 2013
Health Plan NPP RedistribuGon
• Post on website:
– Prominently post the material change or its
revised noJce on its website
– Provide revised noJce in the next annual
mailing to individuals
• Health plans that do not have customer
service web sites are required to provide
the revised NPP or informaJon about the
material change and how to obtain it to
individuals

22. © 2013
Enforcement
• Final Rule adopts the 10/31/2009
Interim Final Rule.
– Expanded to include BAs and their
agents (subcontractors)
– Changes in this secJon’s language
signals tougher enforcement for willful
neglect
– All complaints will iniJate an
invesJgaJon
22

23. © 2013
Enforcement
• OCR is recruiJng enforcement agents
heavily and has upped their pay scale
• OCR HIPAA audits are sJll mandated
• BAs up next!
23

24. © 2013
State AG’s to Enforce HIPAA
• OCR training includes:
– Overview of Privacy and security
– InvesJgaJon techniques
– PreempJon Review
– OCR’s enforcement role
– State aborney’s general role and
responsibiliJes
– HIPAA enforcement and support
24

25. © 2013
Civil Money PenalGes
Four Jered structure ‐ PenalJes based on
culpability and increase with each Jer:
1. Reasonable cause
2. Knowledge and reasonable diligence
3. Willful neglect violaJon corrected
4. Willful neglect violaJon not corrected
25

26. © 2013
Penalty Tiers
• Each ViolaJon ‐ $100‐$50,000
• All such violaJons/yr $1,500,000
Did not know
• Each ViolaJon ‐ $1,000‐$50,000
• All such violaJons/yr $1,500,000
Reasonable
Cause
• Each ViolaJon ‐ $10,000‐$50,000
• All such violaJons/yr $1,500,000
Willful Neglect ‐
Corrected
• Each ViolaJon ‐ $50,000
• All such violaJons/yr $1,500,000
Willful Neglect
– Not corrected
26

27. © 2013
Penalty Tiers
Reasonable Cause (§160.401 Final Rule)
“An act or omission in which a covered
en9ty or business associate knew, or by
exercising reasonable diligence would
have known, that the act or omission
violated an administra9ve simplifica9on
provision, but in which the covered
en9ty or business associate did not act
with willful neglect.”
27

28. © 2013
Civil Money PenalGes
PenalJes imposed will be impacted by the
following:
• ViolaJons before or aoer HITECH
• Nature and extent of the violaJon
• Harm resulJng from the violaJon (not harm as
discussed in Breach NoJficaJon)
• History of compliance
• EnJty’s overall financial condiJon
28

29. © 2013
Civil Money PenalGes
• CounJng ViolaJons:
– Lose a thumb drive = # individuals
affected
– Lack of appropriate safeguards (e.g.
policy and procedure) = per day basis
• $1.5M Cap = per type of violaJon
29

30. © 2013
§ 160.410 AffirmaGve Defenses
Prior to 2/18/2009
• An act punishable under 42 U.S.C.
1320d–6
• CE establishes that it did not have
knowledge of the violaJon
• The violaJon is
– Due to reasonable cause
– Corrected during the 30 day period
– Corrected as the Secretary determine to
be appropriate
30

31. © 2013
§ 160.410 AffirmaGve Defenses
On or aaer 2/18/2009
• An act punishable under 42 U.S.C.
1320d–6
• The violaJon is
– Due to reasonable cause
– Corrected during the 30 day period
– Corrected as the Secretary determine to
be appropriate
31

32. © 2013
Waiver §160.412
• The Secretary may waive civil money
penalty in whole or in part:
– ViolaJon due to reasonable cause
– Not corrected with Jmeframe
– Extent of penalty would be excessive
relaJve to the violaJon
32

33. © 2013
Breach Timeline
• 08/24/09 – Interim Final Rule
• 09/23/09 – NoJficaJon of Breach
• 11/30/09 – Enforcement
• 1/25/13 – Final Rule
• 3/26/13 – EffecJve Date Final Rule
• 9/23/13 – Compliance Date Final Rule
33

34. © 2013
Breach Final Rule
• DefiniJon of a Breach
The acquisi9on, access, use, or disclosure of
protected health informa9on in a manner not
permiDed [Privacy Rule] which compromises
the security or privacy of the protected health
informa9on.
• Unsecured PHI
PHI that is not rendered unusable,
unreadable, or indecipherable to
unauthorized individuals through the use of a
technology or methodology specified by the
Secretary.

35. © 2013
Breach Final Rule
35 35
HARM
THRESHOLD

36. © 2013
Breach Final Rule
• Impermissible use of PHI is PRESUMED
a breach unless the CE can
demonstrate low probability that PHI
was compromised.
– Harm Threshold Replaced by Risk
Assessment
– If a determinaJon to noJfy has been
made a risk assessment is not required

37. © 2013
Breach Final Rule
• Risk Assessment
– Nature and extent of the PHI
– Who used or to Whom the PHI was
disclosed?
– Was the PHI actually acquired or viewed?
– Extent to which PHI miJgated
• OCR expected to issue further guidance

38. © 2013
Breach Final Rule
• ReporJng a Breach to the OCR
– Considered “discovered” on the 1st day it is
“known” to the CE/BA.
– Business Associate must noJfy CE
immediately
– UlJmate responsibility for reporJng to OCR
lies with the CE
– <500 individuals must noJfy HHS 60 days aoer
close of year
– >499 must noJfy HHS when individual is
noJfied

39. © 2013
Breach Final Rule
• A breach only occurs if it
involves unsecured PHI.
• Safe Harbor
– EncrypJon
– Meets definiJon of unsecured PHI

40. © 2013
Breach NoGficaGon
• To the Individual
– No later than 60 days from discovery
– Wriben noJficaJon or subsJtute
noJce required
• First‐class mail or email

41. © 2013
Breach NoGficaGon
• NoJficaJon Scenarios
– Minors, incompetent or deceased adult
– AlternaJve communicaJons
– PaJent CondiJon
– Health Plan

42. © 2013
Breach NoGficaGon
• SubsJtute NoJce
o ExcepJon: Deceased, Next of Kin,
Personal RepresentaJve cannot be
reached, no further acJon required
o Requirement varies if there is <10
or >10 individuals

43. © 2013
Breach NoJficaJon
• SubsJtute NoJce (cont’d)
– <10 – noJce can be wriben, by phone, or
other means
– >10
• PosJng on home page for 90 days or
• Ad in major print in area where individual most
likely resides for 90 days
• Include toll‐free number in both for 90 days
• AddiJonal emergent contact is also
permibed for urgent situaJons

44. © 2013
Breach NoGficaGon
• NoJficaJon Elements
o Date of breach
o Date of discovery (if known)
o Brief descripJon of what happened
o DescripJon of types of PHI involved
o Steps an individual should take to
protect themselves from potenJal harm
o DescripJon of what is being done to
invesJgate and miJgate the breach
o Contact informaJon of CE/BA

45. © 2013
Breach NoGficaGon
• Breaches >500
– Prominent media outlets must be noJfied no
later than 60 days from discovery
– Must be reported to OCR no later than 60 days
from date of discovery
– NoJficaJon to all affected including required
elements
– American Samoa and Northern Mariana Islands
are now included, not specified in HIPAA

46. © 2013
Breach NoGficaGon
• Breaches <500
– Must be reported annually to OCR
– All breaches that occur in a calendar year must
be reported within 60 days of the end of that
calendar year

47. © 2013
Breach NoGficaGon
• Business Associates
– Considered discovered on day the BA
discovered breach
– BA must noJfy CE
– Responsibility will vary by BA and CE
relaJonship
– Should be specified in BAA

48. © 2013
Breach NoGficaGon
• Delays by law enforcement
– NoJficaJon or posJng can be delayed if
requested by law enforcement for
criminal invesJgaJons or maber of
naJonal security
• In wriJng – must specify Jme period of
delay
• Oral – must be documented – only valid for
30 days unless received in wriJng

49. © 2013
Breach: Key Steps
1. PotenJal privacy/security violaJon reported
2. InvesJgaJon and DocumentaJon
a) Did a breach occur?
3. If breach determined, perform risk
assessment
4. NoJfy individuals
5. Report to HHS accordingly (<500 or >500)
6. Feedback/MiJgaJon/SancJons

50. © 2013
Breaches & Enforcement in AcGon
• Major Cases in 2013
– United HomeCare Services, Inc (12,229)
– Healthcare for Women (8,727)
– CatocJn Dental/Richard B. Love (6,400)
– Utah Dept of Health (6,332)
• Major Cases in 2012
– Emory Healthcare (315,00)
– South Carolina Dept. of Health and Human
Services (228,435)
– Alere Home Monitoring Inc (116,506)
– Crescent Health Inc – a Walgreen’s
company (109,000)

51. © 2013
GeneGc InformaGon
NondiscriminaGon Act (GINA)
• InformaJon about:
– The individual’s geneJc tests;
– The geneJc tests of family members of the
individual;
– The manifestaJon of a disease or disorder in
family members of such individual; or
– Any request for, or receipt of, geneJc
services, or parJcipaJon in clinical research
which includes geneJc services, by the
individual or any family member of the
individual.

52. © 2013
GINA
• Applies to the following:
– group health plans,
– health insurance issuers,
– health maintenance organizaJons,
– issuers of Medicare supplemental policies)
– employee welfare benefit plans,
– high risk pools,
– certain public benefit programs and
– any other individual or group plan, or
combinaJon of individual or group plans.

53. © 2013
SpecificaGons
• Prohibits uses and disclosures for:
– underwriJng except for long term care
policies
– UnderwriJng though this acJviJes is
typically considered payment or healthcare
operaJon
• Clarifies health plan may
– release summary health informaJon to
sponsors
– ConJnue to use and disclose informaJon as
required by law
• Clarifies healthcare providers may
conJnue to disclose geneJc informaJon
for payment purposes

54. © 2013
Next Steps
• Review state laws again final rule
• Review/Update policies and
procedures
– What’s working? What’s not?
• Update Incident/Breach Response Plan
– Create a risk assessment template
• Update BA agreements
– Specifically idenJfy BA responsibiliJes
54

55. © 2013
Next Steps
• Update NPPs to include:
– Fundraising
– RestricJons
– Decedents
– Access
• Update AuthorizaJons
– MarkeJng
– Sale of PHI
– Research
55

56. © 2013
56
QuesGons?

57. © 2013
Thank You!
Angela Dinh Rose, MHA, RHIA, CHPS, FAHIMA
Director, HIM PracGce Excellence at AHIMA
angela.rose@ahima.org
Diana Warner, MS, RHIA, CHPS, FAHIMA
Director, HIM PracGce Excellence at AHIMA
diana.warner@ahima.org

58. © 2013
References
• ModificaJons to the HIPAA Privacy, Security,
Enforcement, and Breach NoJficaJon Rules under the
Health InformaJon Technology for Economic and Clinical
Health Act and the GeneJc InformaJon
NondiscriminaJon Act; Other ModificaJons to the HIPAA
Rules
hbp://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐25/pdf/
2013‐01073.pdf
• Analysis of ModificaJons to the HIPAA Privacy, Security,
Enforcement, and Breach NoJficaJon Rules under the
Health InformaJon Technology for Economic and Clinical
Health Act and the GeneJc InformaJon
NondiscriminaJon Act; Other ModificaJons to the HIPAA
Rules
hbp://library.ahima.org/xpedio/groups/public/documents/
ahima/bok1_050067.pdf
58

59. © 2013
References
• Guidance Regarding Methods for De‐idenJficaJon of
Protected Health InformaJon in Accordance with the
Health Insurance Portability and Accountability Act
(HIPAA) Privacy Rule
hbp://www.hhs.gov/ocr/privacy/hipaa/understanding/
coveredenJJes/De‐idenJficaJon/guidance.html
• HIPAA Privacy Rule
hbp://www.hhs.gov/ocr/privacy/hipaa/administraJve/
privacyrule/privrulepd.pdf
• AHIMA Advocacy and Policy Center:
www.ahima.org/advocacy 59

60. © 2013
AHIMA Privacy & Security
Resources
• A HIPAA Security Overview
• HIPAA Privacy and Security Training (Updated)
• NoJce of Privacy PracJces (Updated)
• PreempJon of the HIPAA Privacy Rule
(Updated)
• RetenJon and DestrucJon of Health
InformaJon
• SancJon Guidelines for Privacy and Security
ViolaJons
• Security Risk Analysis and Management: An
Overview (Updated)
• Security Audits of Electronic Health InformaJon
(Updated)
• The 10 Security Domains 60

61. © 2013
Resources – Breach Tools
• Model Breach NoJficaJon Leber
hbp://library.ahima.org/xpedio/groups/public/
documents/ahima/bok1_044673.hcsp?
dDocName=bok1_044673
• Breach NoJficaJon Template Leber
hbp://library.ahima.org/xpedio/groups/public/
documents/ahima/bok1_045987.pdf
• Model Plan for Breach NoJficaJon
hbp://library.ahima.org/xpedio/groups/public/61