Connecting Michigan for Health 2013 http://mihin.org/

1. No More Excuses: HHS Releases
Tough Final HIPAA Privacy and
Security Rules
Brian R. Balow
Dickinson Wright PLLC
June 6, 2013

2. Overview
 Released January 17, 2013
 Effective March 26, 2013
 Covered entities and business associates have 180 days
beyond the effective date to come into compliance with
most of the Final Rule’s provisions (September 23, 2013)

3. Rules to be Discussed
 Privacy Rule
 Security Rule
 Breach Notification Rule
 Enforcement Rule

4. Some General Matters
 Patient Safety Organizations are now business
associates
 HIOs, E-Prescribing Gateways, and others that facilitate
ePHI transmission can be business associates (if
“access to PHI on routine basis” and not merely a
conduit)
 PHR vendors can be business associates if the PHR is
offered on behalf of a covered entity

5. Some General Matters
 Subcontractors to a covered entity can be business
associates “to the extent that they require access to
PHI.” Thus, covered entity must gain satisfactory
assurances of compliance required by the Rules from its
business associates, and business associates must
obtain same from subcontractors
 PHI “stored, whether intentionally or not, in photocopier,
facsimile, and other devices is subject to the Privacy and
Security Rules”
Copyright 2013 Michigan Health Information Network 5

6. Privacy Rule
 Uses and disclosures of patient information:
• Genetic information (health plans as defined in
HIPAA)
• Sale of PHI
• To health plan if services paid by patient
• Marketing activities
• Fundraising activities
• Deceased persons
• Immunization records to schools
Copyright 2013 Michigan Health Information Network 6

7. Privacy Rule
 Confirms a business associate’s direct liability for
specific provisions of the Privacy Rule
 Business associates not directly liable for other Privacy
Rule provisions (e.g., providing a NPP) unless
delegated to BA under a BAA
 BA may use PHI for “proper management and
administration of the BA and to provide data aggregation
services to a covered entity”

8. Privacy Rule
 A BA must enter into a BAA-style agreement with a
subcontractor prior to disclosing PHI
 Covered entities need no longer report uncured breach
by a BA of its obligations under a BAA
 A BA must attempt to cure a subcontractor’s breach of
“satisfactory assurance” type obligations (parallel to a
CE’s obligations vis-à-vis a BA)
Copyright 2013 Michigan Health Information Network 8

9. Privacy Rule
 Required changes to BAAs:
• BA must comply where applicable with Security Rule re
ePHI
• BA must report breaches of unsecured PHI to CE
• BA must flow down satisfactory assurance provisions to
subcontractors
• If Privacy Rule requirement delegated to BA, BA liable to
CE if BA breaches pertinent Privacy Rule requirement
(does not create direct BA liability, however)

10. Privacy Rule
 BAA Amendments
IF
• Existing BAA in place prior to January 25, 2013, and is
compliant with Privacy Rule as then in effect, and
• Existing BAA is not renewed or modified between March 26
and September 23, 2013,
THEN that BAA is deemed compliant until earlier of
• Date on which BAA is renewed or modified after September
23, 2013, or
• September 24, 2014
Copyright 2013 Michigan Health Information Network 10

11. Security Rule
 Security Rule’s administrative, physical, and technical safeguard
requirements, as well as the Rule’s policies and procedures and
documentation requirements, apply to business associates in the
same manner as they apply to covered entities, and BAs will be
civilly and criminally liable for violations
 It is the BA’s, and not the CE’s, obligation to obtain satisfactory
assurances from a subcontractor regarding protection of ePHI
 Allows that formerly required but duplicative BAA provisions are no
longer required (i.e., those required under each of the Privacy Rule
and the Security Rule)

12. Breach Notification Rule
 Unsecured PHI
• Secured PHI = Compliance with valid encryption processes for
data at rest consistent with NIST Special Publication 800-111,
Guide to Storage Encryption Technologies for End User Devices,
and with valid encryption processes for data in motion consistent
with NIST Special Publications 800-52, Guidelines for the
Selection and Use of Transport Layer Security (TLS)
Implementations; 800-77, Guide to IPsec VPNs; or 800-113,
Guide to SSL VPNs, or others which are Federal Information
Processing Standards (FIPS) 140-2 validated
Copyright 2013 Michigan Health Information Network 12

13. Breach Notification Rule, Cont’d
“Breach”
1. Impermissible use or disclosure of PHI is presumed to be a
breach unless CE or BA can demonstrate “low probability” that
PHI was “compromised” (move away from “risk of harm”
standard)
2. CE or BA must conduct a risk assessment to determine if PHI
was compromised

14. Breach Notification Rule, Cont’d
Risk Assessment:
1. Nature and extent of PHI involved (including identifiers/likelihood
of re-identification)
2. Consider the recipient (e.g., already under HIPAA obligation?)
3. Was PHI actually acquired or viewed
4. Extent to which risk has been mitigated

15. Breach Notification Rule, Cont’d
Notification to Individuals
 “Discovery”: When CE knew or by exercising reasonable
diligence would have been known to any person other than
the person committing the breach, who is a workforce
member or agent of CE
 Timeliness: w/o unreasonable delay, not more than 60 days
post-discovery (law enforcement delay exception remains)
 Content:
• What happened, when, and when discovered
• Description of compromised PHI
• Steps individuals should take to mitigate effects
• Steps CE is taking, plus contact information

16. Breach Notification Rule, Cont’d
Notification to Media:
 Unsecured PHI
 500+ affected individuals of any one State
 Within 60 days of discovery, max
 “Prominent media outlet” (depends on the market)
 Press release on a CE website does not meet this
requirement

17. Breach Notification Rule, Cont’d
 Notification to Secretary:
 500+ affected individuals (anywhere): “immediate” (meaning
at time individual notices are sent)
 Less than 500, maintain log and report on HHS website
annually, within 60 days of end of year
 Notification by a Business Associate:
 BA’s knowledge of breach is imputed to CE if the BA is an
agent of the CE (meaning CE’s clock starts ticking when BA
“discovers”
 Otherwise, CE’s clock begins upon notice from BA

18. Enforcement Rule
 Four civil money penalty tiers based on culpability:

19. Enforcement Rule, Cont’d
 “Reasonable cause” (second tier) defined as “an act or omission in
which a covered entity or business associate knew, or by exercising
reasonable diligence would have known, that the act or omission
violated an administrative simplification provision, but in which the
covered entity or business associate did not act with willful neglect.”
 Covered entities and business associates are now liable as
principals for the acts of business associates (for CEs) or
subcontractors (for BAs) acting as agents under Federal common
law principles
Copyright 2013 Michigan Health Information Network 19

20. Enforcement Rule, Cont’d
 Bases for Penalty Determinations:
1. Nature and extent of violation
2. Nature and extent of harm
3. History of prior compliance
4. Financial condition of the CE or BA
5. Other matters “as justice requires”

21. To-Do List: All
1.Print pp. 491 – 562 of the Final Rule
and put them in a binder
2.Read them in conjunction with
existing HIPAA regulations (which
should likewise be in a binder)

22. To Do List: Covered Entities
1. Update privacy policies (uses and disclosures of PHI)
2. Update compliance plan consistent with Breach Notification Rule changes
3. Examine BA relationships in light of agency liability issues
4. BAA review and revision (including amendments to existing BAAs)
5. Update notice of privacy practices and patient authorization form
6. (Seriously) consider encryption of ePHI if not already done
7. Conduct training
8. Use OCR resources

23. To Do List: Business Associates
1. Determine if you are a “business associate” (and if not be prepared
to defend your case)
2. Evaluate your current operations for compliance with applicable
Privacy Rule, Security Rule, and Breach Notification provisions
3. Ensure you have appropriate subcontracts in place and with proper
content
4. Conduct training
5. Use OCR resources

24. Disclaimer
This presentation is informational only. It does not constitute legal or
professional advice.
You are encouraged to consult with an attorney if you have specific
questions relating to any of the topics covered in this presentation

25. Contact Information
Brian R. Balow
248-433-7536
bbalow@dickinsonwright.com
Thank you