HIPAA 2023 Latest Guidance and Compliance Focus Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

1

Agenda • Overview of HIPAA Regulatory Expectations • Telemedicine and Communication during (AND after) the Public Health Emergency • Issues in Individual Access of Records under HIPAA • HIPAA Accounting of Disclosures Changes • Potential and Proposed Rule Changes • HIPAA Controls and New Technologies • Q&A

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

2

HIPAA Privacy, Security, & Breach Rules • Privacy Rule – – – –

45 CFR §164.5xx; Enforceable since 2003 Establishes Rights of Individuals Controls on Uses and Disclosures Access of PHI is a hot button issue for HHS – FORTY-THREE settlements so far recently in HHS OCR Right of Access initiative

• Security Rule – – – –

45 CFR §164.3xx; Enforceable since 2005 Applies to all electronic PHI Flexible, customizable approach to health information security Uses Risk Analysis to identify and plan the mitigation of security risks

• Breach Notification Rule – – – –

45 CFR §164.4xx; Enforceable since February 2010 Requires reporting of all PHI breaches to HHS and individuals Extensive/expensive obligations Provides examples of what not to do on the HHS “Wall of Shame”: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

3

Part 1 • Overview of HIPAA Regulatory Expectations – New Regulatory Directions – Rule Modifications and Guidance on the COVID-19 Pandemic – Overdue Regulatory Action – Court Ruling Limiting Regulations

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

4

Updated Rules for 42 CFR Part 2 • Keeps 42 CFR Part 2 protections on use of SUD data for prosecution or investigation (as do the changes under the CARES Act) • Clarification of when the rules apply, definition of “records” • Access of central registries (such as PDMPs) • Generalization of consents (such as to entities) (Under the CARES Act allows use of Part 2 information under HIPAA-like controls, with consent) • Clarification on allowable disclosures for payment & operations, with a list of 17 example allowable activities • Better alignment with HIPAA & Common Rule on research • Rules on clearing personally-owned-by-staff devices of Part 2 data, including texts and e-mail • Also revisions for Medical Emergencies and disasters, investigations of “extremely serious crimes”, and placement of undercover informants © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

5

November 2022 Proposed Rules • Coordinate 42 CFR Part 2 Rules with HIPAA – Single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations – Permit the redisclosure of Part 2 records as permitted by the HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA covered entities, and business associates, with certain exceptions. – Expand prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings – Right to an accounting of disclosures (HIPAA) – Right to request restrictions on disclosures for treatment, payment, and health care operations (HIPAA) – Require disclosures to the Secretary for enforcement – Apply HIPAA and HITECH Act civil and criminal penalties to Part 2 violations. – And more… © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

6

How the HIPAA Safe Harbor Law Fits In • Effective January 5, 2021, the HIPAA Safe Harbor bill amends the HITECH act to require the Department of Health and Human Services to incentivize best practice cybersecurity for meeting HIPAA requirements. – The legislation directs HHS to take into account a covered entity’s or business associate’s use of industry-standard security practices within the course of 12 months, when investigating and undertaking HIPAA enforcement actions, or other regulatory purposes. – Further, the bill requires that HHS take cybersecurity into consideration when calculating fines related to security incidents. HHS is also required to decrease the extent and length of an audit, if it’s determined the impacted entity has indeed met industry-standard best practice security requirements. © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

7

Telemedicine, HIPAA, and COVID-19 • HHS has issued an enforcement advisory on telemedicine during the COVID-19 emergency: Relaxed enforcement for using services that are non-public facing but may not meet HIPAA requirements (such as a providing a BAA) – Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype

• BUT: Do NOT use public-facing services that are not private – Facebook Live, Twitch, TikTok, and similar

• And: Once the emergency is over you will need to use HIPAA compliant services, under a Business Associate Agreement, according to a HIPAA Security Risk Analysis •

See: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergencypreparedness/notification-enforcement-discretion-telehealth/index.html © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

8

Part 2 • Issues in Individual Access of Records under HIPAA – New Emphasis on Enforcement of Individual Access Rules – New Court Ruling Limiting Third-Party Access Requests – New Limitation of Business Associate Liability for Compliance

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

9

2021 Access Enforcement Actions • January 12, 2021: $200,000 settlement and CAP for Banner health system, for taking too long (five and six months) to deliver records • February 10, 2021: $75,000 and CAP for Renown Health’s failure to transmit electronic records to a third party as requested • February 12, 2021: Number 16: $70K and CAP for Sharp HealthCare for a second lack of response for records request, even after OCR provided help after the first complaint was investigated • March 24, 2021: Slow response to records request, requiring two interventions by HHS OCR – $65K and a CAP for Arbour Hospital • March 26, 2021: Slow response to records request – $30K and a CAP for Village Plastic Surgery • June 2, 2021: Taking two years to deliver a minor child’s medical record $5K and a CAP for The Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”) of West Virginia • September 10, 2021: Failure to satisfy request for minor child’s records by Children’s Hospital Medical Center of Omaha, Nebraska -- $80K and a CAP • November 30, 2021: FOUR MORE settlements and ONE civil money penalty, up to $160K with CAPs © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

10

2022 and 2023 Access Enforcement Actions • March 28, 2022: Two Enforcement Actions for Right of Access – Dr. Donald Brockley, D.D.M., a solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record: $30,000 and a CAP – Jacob and Associates, a psychiatric medical services provider with two offices in California: $28,000 and a CAP for violations of the right of access standard • September 20, 2022: 3 more settlements, all with Dental Offices, $25K to $80K and CAPs – rules apply to dentists, too • December 15, 2022: $20K and a CAP for Health Specialists of Central Florida, for not providing access to deceased father’s records • January 3, 2023: Life Hope Labs took too long to provide records, pays $16,500 and CAP in penalty #43 in the Individual Right of Access initiative

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

11

So, what are we allowed to do? • Do what the patient wants – Meet HIPAA Requirements – Accommodate what you reasonably can – Remember! Patient access of information a high priority at HHS

• Meet the Patient’s Needs – Communication with the office for Prescription Renewals, Scheduling etc. – Discussion of particular health issues – Access of Medical Records, test results

• Do what you can handle properly – For Patient Care – For Medical Records © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

12

Part 3 • HIPAA Accounting of Disclosures Changes – Current Accounting of Disclosures Requirements – Required Changes and Difficulties Implementing Them – Likely Regulation to be Proposed

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

13

Accounting of Disclosures Today • Individual has right to an accounting of all disclosures of health information in last six years • Except for disclosures: – For Treatment, Payment, and Healthcare Operations – To the individual; under authorization; associated with disclosures under §164.502; for facility directories; for national security; law enforcement; limited data set…

• The Result? – Number of Accountings requested very low – Many hospitals have had NO requests for such accountings since the rule went in to effect in 2003! – Time and money spent implementing systems and tracking that are never used – Cost vs. benefit? © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

14

Part 4 • Potential (and Proposed) Rules Changes – Acknowledgement of Receipt of Notice of Privacy Practices – TCPA and Cell Phone Communications – Getting Back to Normal After the Pandemic Emergency: Coming soon!

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

15

TCPA and Communicating to Cell Phones • Telephone Consumer Protection Act of 1991 limits calls and messages to cell phones without consent • Limits Robo-calling (including reminder calls) • There are Penalties for, without consent, calling a cell phone or leaving: – A payment related message (voice or text) – A healthcare related message more than one minute (voice) or 160 characters (text) long; no more than one per day or three per week • Includes healthcare reminders, appointment reminders, etc.

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

16

TCPA and Communicating to Cell Phones • Be cautious, especially for any calls or texts relating to billing • Get consent up front to call or text the number provided for healthcare & (especially) financial purposes, including reminders & follow-up • Consent must be written, or • Consent is considered provided for Healthcare Communications ONLY (NOT for Payment communications) if: – the patient provides a phone number, and – the Notice of Privacy Practices says the patient may be contacted for Treatment, Payment, and Healthcare Operations, and – the Notice is acknowledged as received with a signature

• Proposals have been made to change TCPA to allow communications for TPO purposes without consent, but not yet! • Meanwhile, the Proposed Privacy Rule changes would eliminate the signed acknowledgement as a consent, so you’d have to get that separately, instead © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

17

Part 5 • HIPAA Controls and New Technologies – Difficulty in Managing Privacy – Calls for HIPAA Expansions

© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

18

New Technologies • New technologies in health care every day – Some new technologies will be very useful – Some new technologies will be a privacy and security nightmare

• You can’t deny new technologies – New Technologies should be addressed head-on – If you ignore them they don’t go away – Encourage dialog on new technologies and find ways to use them productively, securely

• Education addressing new technologies is essential – Prevent improper uses – Train in appropriate usage © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

19

New Technologies and HIPAA • HIPAA can handle new technologies for PHI – Security Rule is very flexible, adaptable • New kinds of information, apps, devices, and various uses outside the formal HIPAA definition of “Protected Health Information” • New calls for protection of more kinds of patient information than HIPAA covers • Proposed HIPAA Privacy Rule changes would address many issues more clearly • Don’t be surprised if new laws and regulations result – Expanded FTC activity – State laws may also be in the works – Expansion of existing state breach rules © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

20

Your to-do list… ✓ Don’t be in denial – willful neglect costs more than compliance ✓ Keep your ears out for new rules, laws, guidance ✓ Provide individual access – don’t block information ✓ Be careful adopting new technologies ✓ Step up your Security game ✓ Make sure mobile devices are protected ✓ Document your processes for proper methods of communications with both patients and professionals ✓ Conduct drills in audit and breach response ✓ Make corrections based on results ✓ Always have a plan for moving forward, and follow it! © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

21

Thank you! Any Questions? For additional information, please contact:

Jim Sheldon-Dean Lewis Creek Systems, LLC 5675 Spear Street, Charlotte, VT 05445

[email protected] www.lewiscreeksystems.com

Register Now © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com

22