Changes to HIPAA Under the Omnibus Final Rule

Size: px
Start display at page:

Download "Changes to HIPAA Under the Omnibus Final Rule"

Transcription

1 Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the longawaited omnibus final rule (Final Rule) pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Non- Discrimination Act of 2008 (GINA). The Final Rule, published in the Federal Register on Jan. 25, 2013 (78 Fed. Reg. 5566), settles some of the questions that remained open after the publication of the proposed regulations on July 14, The Final Rule became effective on Mar. 26, 2013, and covered entities and business associates must comply with the applicable requirements of the Final Rule by September 23, Covered entities and business associates will have up to one year following the compliance date to modify business associate agreements in accordance with the requirements of the Final Rule. Among other things, the Final Rule addresses the following key topics: 1. Privacy Rule and Security Rule: a. Direct liability of business associates and subcontractors of business associates for compliance with certain provisions of the HIPAA Privacy Rule and the HIPAA Security Rule. b. Activities that render an entity a business associate, including the mere storage or maintenance of protected health information (PHI). c. Required modifications to a covered entity s notice of privacy practices. d. Expansion of the rights of individuals to receive electronic copies of their health information and restriction of disclosures to a health plan for treatment for which the individual has paid out-of-pocket in full. e. Expansion of the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibition of the sale of protected health information without individual authorization. 2. The Breach Notification Rule: Replacement of the harm threshold in the Breach Notification Interim Final Rule with a more objective standard and replacement of the Interim Final Rule in its entirety with the relevant provisions of the omnibus Final Rule. 3. The Enforcement Rule: Incorporation of the tiered civil money penalty structure set forth in the HITECH Act, originally published as an interim Final Rule on October 30, Penalties are increased for non-compliance based upon the level of negligence, with a maximum penalty of $1.5 million per violation.

2 4. Protections for Genetic Information: Enhanced privacy protections for genetic information as required by GINA, which was published as a proposed rule on October 7, In a press release accompanying the release of the Final Rule, Leon Rodriquez, the director of the Office for Civil Rights of HHS stated that the final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. Breach Notification Standard Changed by HIPAA Omnibus Final Rule In the Final Rule, HHS modified the standard that HIPAA-covered entities, including healthcare providers and health plans, and their business associates must use to determine if a breach of PHI has occurred. Specifically, HHS replaced the previous standard, which required analysis of the risk of financial, reputational or other harm to an individual, with a standard that presumes that a breach has occurred unless, through the analysis of a series of specific factors, it is determined that there is a low probability that PHI has been compromised by the unauthorized use or disclosure. In the Final Rule, HHS reaffirms that it is the obligation of the covered entity or the business associate to reach this determination, to document the basis for the determination, and to provide all required notifications if a determination is made that a breach has occurred. Risk of Harm Standard Replaced with More Objective Test The HITECH Act requires notice to affected individuals, HHS, and, in certain circumstances, the media when HIPAA-covered entities and their business associates discover a breach of unsecured PHI. HHS defines breach as the acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule that compromises the security or privacy of the PHI. In the Breach Notification for Unsecured Protected Health Information Interim Final Rule, effective Sept. 23, 2009, HHS defined the phrase compromises the security or privacy of the PHI to mean that the acquisition, access, use, or disclosure poses a significant risk of financial, reputational, or other harm to the individual. The inclusion of this second level of analysis, the so-called risk of harm standard, created a subjective aspect to an entity s evaluation of whether an unauthorized acquisition, access, use, or disclosure of PHI rises to the level of a breach. After considering public comments to the Interim Final Rule, HHS determined that the risk of harm standard could be construed and implemented in a manner it had not intended. Accordingly, in the Final Rule, HHS revised the definition of a breach to state that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. Further, to determine whether there is a low

3 probability that the PHI has been compromised and whether breach notification is necessary, the covered entity or business associate, as applicable, must conduct a risk assessment that considers, at a minimum, each of the following factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated. Following analysis of each of the factors above, covered entities and business associates must evaluate the overall possibility that the PHI has been compromised by considering all the above, and any other relevant factors, in combination. HHS expects that risk assessments will be thorough and completed in good faith and, further, that the conclusions will be reasonable. Safe Harbor and Certain Other Exceptions Still Apply The Final Rule retained a critical safe harbor initially established by the Interim Final Rule. Specifically, an unauthorized disclosure only rises to the level of a breach and only triggers the notification requirements of the HITECH Act if the PHI disclosed is unsecured. Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of the technology or methodology specified by the secretary through published guidance. The secretary issued guidance on Apr. 17, 2009, and later published in the Federal Register on Apr. 27, 2009 (74 FR 19006), specifying two methods for rendering PHI unusable, unreadable or indecipherable: (1) encryption and (2) destruction effectuated in accordance with certain industry best practices. The other regulatory exceptions to the definition breach that were implemented through the Interim Final Rule remain unchanged. These include: (1) acquisition, access or use of PHI by a workforce member, in good faith, and without further use or disclosure not permitted by the Privacy Rule; (2) inadvertent disclosure to a person authorized to access PHI, without further use or disclosure not permitted by the Privacy Rule; and (3) where there is a good faith belief that the unauthorized person would not be able to retain the information. Limited Data Set Exception Removed The Final Rule eliminated the exception to the definition of breach where the PHI used or disclosed constitutes a limited data set that does not contain any dates of birth or ZIP Codes. Accordingly, breaches of limited data sets, regardless of their content, must be handled like all other breaches of PHI. Notification Requirements Remain Unchanged

4 Under both the Interim Final Rule and the Final Rule, if a covered entity determines that a breach has occurred, the following breach notification obligations apply: Notice to Individuals: Affected individuals must be notified without unreasonable delay, but in no case later than 60 calendar days after discovery. The notices must be written in plain language and include basic information that is detailed in the Interim Final Rule. Under certain circumstances, a substitute notice may be used. Notice to Media: If a breach affects more than 500 residents of a state or smaller jurisdiction (such as a county, city or town), the covered entity or business associate must also notify a prominent media outlet that is appropriate for the size of the location with affected individuals. Notice to HHS: Information regarding breaches involving 500 or more individuals (regardless of location) must be submitted to HHS at the same time that notices to individuals are issued. If a particular breach involves 500 or fewer individuals, the covered entity is required to report the breach to HHS within 60 days after the end of the calendar year in which the breach occurs via the HHS web portal. Notice by Business Associates to Covered Entities: A business associate of a covered entity must notify the covered entity if the business associate discovers a breach of unsecured PHI. Notice must be provided without unreasonable delay and in no case later than 60 days after discovery of the breach. Burden of Proof Rests with Covered Entities and Business Associates The Final Rule reaffirms that, in the case of an impermissible use or disclosure of PHI, it is the covered entity or the business associate, as applicable, that has the burden of demonstrating that all notifications were provided or, in the alternative, that an impermissible use or disclosure did not constitute a breach, and of maintaining documentation as necessary to meet this burden. It is critically important that covered entities and business associates have appropriate policies and procedures in place to detect and respond to a potential breach. Following a breach, covered entities and business associates should conduct employee training to prevent recurrence. HHS Adopts a Broad Interpretation of Entities that Qualify as Business Associates under HIPAA in the Omnibus Final Rule In the Final Rule, HHS (i) clarifies that data storage providers that maintain PHI on behalf of covered entities or business associates on a long-term basis qualify as business associates under HIPAA; (ii) expands the definition of business associate to include subcontractors of business associates; and (iii) provides specific guidance regarding the dates by which covered entities and business associates must enter into HIPAA-compliant business associate agreements. HHS s decision to define a business associate in an expansive manner is significant because, pursuant to the HITECH Act, business associates are directly liable to the federal government for noncompliance with certain provisions of the Privacy Rule and with the Security Rule and are

5 subject to the Breach Notification and Enforcement Rules (collectively, the HIPAA Rules ). Prior to the HITECH Act, business associates were contractually liable to covered entities pursuant to an executed business associate agreement but did not have direct liability to the federal government under HIPAA and the accompanying regulations. The application of HIPAA to business associates through the HITECH Act and the broad definition of these entities adopted in the Final Rule impose compliance obligations, and the risk of substantial penalties for noncompliance, upon a wide swath of entities supporting the healthcare industry. Clarifying the Definition of Business Associate In what it described as a clarification, HHS modified one component of the definition of business associate. Specifically, HHS altered the definition to provide, in relevant part, that a business associate is an entity that, on behalf of [a] covered entity or of an organized health care arrangement (as defined in [45 C.F.R ]) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by [the] subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing. (45 C.F.R ) (emphasis added). In the discussion preceding the revised regulation, HHS states that this change is intended to make the definition more consistent with language at [Section] (b) of the Security Rule and [Section] (e) of the Privacy Rule, as well as to clarify that entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information. HHS also distinguishes between a mere conduit of PHI, such as the U.S. Postal Service, and an entity engaged in the long-term storage of PHI. According to HHS, the former transmits PHI and holds it on a transient basis, with no real opportunity to access PHI, and, thus, does not constitute a business associate. In contrast, a data storage provider that maintains PHI on behalf of a covered entity or business associate on a more permanent basis has the opportunity to access PHI and, thus, qualifies as a business associate under HIPAA. HHS does not distinguish between bulk storage providers of hard copy data, cloud storage providers, and other providers of electronic data storage services, suggesting that its analysis of who qualifies as a business associate applies in the same manner to each of these entities. Liability of Subcontractors of Business Associates In addition to reframing the definition of business associate, HHS provided a short list of the types of entities that, by definition, constitute business associates. Among these is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate. (45 C.F.R ). Thus, subcontractors of a business associate who use or disclose PHI on behalf of the business associate are now directly subject to HIPAA. In the Final Rule, HHS noted that it included subcontractors in the definition of business

6 associate to avoid having privacy and security protections for PHI lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity. HHS clarifies that disclosures by a business associate to a third-party entity for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the PHI because such disclosures are made outside the entity s role as a business associate. (However, such disclosure must otherwise be made in accordance with Section of the Privacy Rule, including the requirement for assurances that the PHI will be appropriately safeguarded.) In response to concerns from the public that the inclusion of subcontractors in the definition of business associate would require a covered entity to identify and enter into business associate agreements with all downstream contractors of each of its business associates, HHS modified the HIPAA Rules. Specifically, HHS modified the HIPAA Rules to provide that a covered entity is not required to directly contract with downstream subcontractors. (45 C.F.R (e)(1); 45 C.F.R (b)(1)). Instead, a business associate who discloses PHI to a subcontractor must enter into a business associate agreement with the subcontractor that provides assurances that the subcontractor will appropriately safeguard the information. (See 45 C.F.R (b)(2). Liability Attaches upon the Performance of a Business Associate Activity The discussion preceding the Final Rule notes that the Final Rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate. Thus, an individual or entity that qualifies as a business associate under the HIPAA Rules is liable for compliance with HIPAA regardless of whether a business associate agreement is in effect. Compliance Dates The Final Rule requires that covered entities and business associates (and, if applicable, subcontractors) achieve compliance with the HIPAA Rules within 180 days of the effective date of any new or modified standards. (45 C.F.R ). The effective date of the Final Rule was Mar. 26, 2013, and covered entities and business associates must be in compliance with the requirements by Sept. 23, Notwithstanding this general compliance deadline, in the Final Rule, HHS provides a transition provision that allows a covered entity and a business associate (or a business associate and subcontractor) to continue operating under an existing business associate agreement for up to one year beyond the compliance date of the Final Rule, so long as certain requirements are satisfied. (45 C.F.R (d)). An existing business associate agreement may continue to operate beyond the compliance deadline if (i) the agreement is effective prior to Jan. 25, 2013, and it

7 contains all the elements required by the regulations as of that date; and (ii) the agreement will not be modified or renewed from March 26, 2013 (the Final Rule effective date) until Sept. 23, 2013 (the Final Rule compliance date). (45 C.F.R (e)(1)). An existing business associate agreement that meets such specifications will be deemed compliant until the earlier of the date the agreement is modified or renewed on or after September 23, 2013, or Sept.r 22, HIPAA Omnibus Final Rule Modifies Notice of Privacy Practices Requirements The Final Rule modifies and expands the statements that covered entities must include in the Notice of Privacy Practices, which is the HIPAA-mandated notice that apprises patients of their rights with regard to PHI and the limits imposed upon a covered entity s uses and disclosures of PHI. Notice of Privacy Practices The Privacy Rule requires covered entities to maintain and distribute a notice of privacy practices (NPP), which must provide that any uses or disclosures other than those expressly permitted by the Privacy Rule will be made only with the written authorization of an individual (45 C.F.R ). The Final Rule expands the requirements to provide individuals with a better understanding of (i) a patient s right to restrict disclosures; (ii) the types of uses and disclosures that require individual authorization; (iii) a patient s right to opt out of certain disclosures (45 C.F.R (b)(1)); (iv) rights to notice in the event of a breach; and (v) rights with respect to the use of their genetic information for health plan underwriting purposes. The Final Rule modifies (b)(1)(ii)(E) to expand the statements in the NPP regarding uses and disclosures that require authorization. Although the Final Rule does not require the NPP to include a list of all situations requiring authorization, the NPP must contain a statement indicating that the following uses and disclosures will be made only with authorization from the individual: (i) most uses and disclosures of psychotherapy notes (if recorded by a covered entity); (ii) uses and disclosures of PHI for marketing purposes, including subsidized treatment communications; (iii) disclosures that constitute a sale of PHI; and (iv) other uses and disclosures not described in the NPP. The Final Rule adopts, as proposed, the requirement that if a covered entity intends to send fundraising communications to an individual, the NPP must also inform the individual of this intent and that the individual has the right to opt out of such fundraising communications with each solicitation (45 C.F.R (b)(1)(iii)(B)). Finally, the Final Rule requires that the NPP contain a simple statement indicating that the covered entity is required to notify the patient of any breach of his or her unsecured PHI. Healthcare providers must state in the NPP that if an individual has paid for services out-ofpocket, in full, and the individual requests that the healthcare provider not disclose PHI related solely to those services to a health plan, the healthcare provider must accommodate the

8 individual s request, except where the healthcare provider is required by law to make a disclosure (45 C.F.R (b)(1)(iv)(A)). The Final Rule does not require covered entities to inform other downstream covered entities of an individual s request not to disclose PHI to a health plan; however, the commentary to the Final Rule does suggest that covered entities should consider providing notification where feasible. Additionally, consistent with GINA, health plans are required to include a statement in their NPPs that they are prohibited from using or disclosing genetic information of an individual for underwriting purposes (45 CFR (b)(1)(iii)(C)). The Final Rule included a limited exception to this requirement for certain issuers of long-term care policies. The Final Rule requires a health plan that currently posts its NPP on its website in accordance with (c)(3)(i) to: (i) prominently post the material change or its revised notice on its website by the effective date of the material change to the notice (i.e., the compliance date); and (ii) provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan, such as at the beginning of the plan year or during open enrollment. If a health plan does not have a customer services website, then the health plan must provide the revised NPP, or information about the material change and how to obtain the revised notice, to individuals covered by the plan within 60 days of the material revision to the notice. The Final Rule does not modify the current requirement, applicable to all covered entities, to distribute revisions to the NPP (45 C.F.R (c)(2)(iv)). Therefore, when a healthcare provider revises an NPP, the healthcare provider must make the NPP readily available upon request on or after the effective date of the revisions at the delivery site to existing patients who request a copy, must post the revised notice on its website, if applicable, and must post the notice in a prominent location on its premises. Providers may even post a summary of the notice, provided that the full notice is immediately available. New patients who receive services for the first time after modification of an NPP should be provided with a copy of the revised NPP. Consistent with the existing rules, providers should retain copies of previous versions of their NPPs and of any written acknowledgements by patients of receipt of NPPs. HIPAA Omnibus Final Rule Implements Tiered Penalty Structure for HIPAA Violations The HITECH Act required HHS to modify HIPAA s Enforcement Rule and HHS s approach to imposing civil money penalties (CMPs) for violations. Specifically, the HITECH Act significantly increased the amount of CMPs, reduced the number of available affirmative defenses to CMPs, and required imposition of CMPs for all violations due to willful neglect. Additionally, the HITECH Act applied all the above directly to business associates. HHS issued an Interim Final Rule along with a request for comments on Oct. 30, The Final Rule responds to public comments regarding the Interim Final Rule and makes a variety of revisions

9 to the Interim Final Rule. However, the core provisions regarding penalties remain substantially the same. Determining the Amount of a CMP The Final Rule implements the penalty structure mandated by the HITECH Act for violations occurring after Feb. 18, 2009, in which the amount of the penalty increases with the level of culpability, with maximum penalties for violations of the same HIPAA provision of $1.5 million per year. Prior to the enactment of the HITECH Act, the imposition of CMPs under HIPAA was limited to a maximum of $100 per violation and $25,000 for all violations of an identical requirement or prohibition occurring within the same calendar year. The prior penalty structure is still applicable to violations occurring on or before Feb. 18, The tiered structure for imposition of CMPs under the HITECH Act and Final Rule distinguishes the level of culpability as follows: Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation. Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect. Willful Neglect Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery. Willful Neglect Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery. The corresponding tiers of CMP relating to each level of culpability are as follows: Violation Category Each Violation Total CMP for Violations of an Identical Provision in a Calendar Year Unknowing $100 $50,000 $1,500,000 Reasonable Cause $1,000 $50,000 $1,500,000 Willful Neglect Corrected $10,000 $50,000 $1,500,000 Willful Neglect Not Corrected At least $50,000 $1,500,000

10 Under the Final Rule, HHS does not have the authority to automatically impose the maximum CMP for any given violation. Rather, in determining the amount of a CMP, HHS must consider the following: The nature and extent of the violation, including the number of individuals affected and the time period during which the violation occurred; The nature and extent of the harms resulting from the violation, including whether the violation caused physical harm, whether the violation resulted in financial harm, whether there was harm to an individual s reputation and whether the violation hindered an individual s ability to obtain healthcare; The history of prior compliance, including previous violations; and The financial condition of the covered entity or business associate, including whether financial difficulties affected the ability to comply and whether the imposition of the CMP would jeopardize the ability of the covered entity to continue to provide or pay for healthcare. Defenses to CMPs The Final Rule limits the ability of the Secretary to impose CMPs for certain violations of HIPAA occurring after Feb. 18, Specifically, the Secretary may not impose CMPs for a violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply. This defense, however, is not available for violations due to willful neglect. Thus, to the extent possible, a covered entity or business associate that discovers a violation of HIPAA that is not due to willful neglect should endeavor to (i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violations; and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of CMPs for the violation. The Final Rule also bars the imposition of CMPs for violations of HIPAA when a criminal penalty has previously been imposed for the same conduct. Waiver and Discretion While the Final Rule includes many provisions that amplify the penalties associated with a violation of HIPAA, as discussed above, there is some flexibility built into the Final Rule with respect to imposition of such penalties. The Final Rule gives HHS discretion to waive a CMP for violations that are not due to willful neglect, in whole or in part, to the extent that the penalty is excessive relative to the violation. The waiver power mirrors the tiered CMP structure by providing a mechanism to ensure that the amount of CMP reflects the level of culpability. Further, CMPs are not the exclusive remedy for violations of HIPAA. Rather, HHS has discretion to use other measures to address HIPAA violations, such as providing direct technical assistance or resolving possible noncompliance through informal means. Prior to the Final Rule,

11 HHS was required to seek resolution through these informal means for all violations, while the Final Rule provides that informal resolution may be attempted. Finally, the Final Rule does not allow violations due to willful neglect to be resolved through these informal means without also imposing a CMP. Applicability of CMPs for Acts of Business Associate Agents The Final Rule makes a covered entity liable for the violations of its business associates that are its agents, and adds a parallel provision providing for the liability of business associates for the acts of their agents. To avoid state-by-state variations in the law of agency, the Final Rule specifies that whether an agency relationship exists will be established under the federal law of agency. In general, an agency relationship will be found where the potential agent s actions can be directed or controlled during the course of performance of its duties, regardless of whether actual direction or control occurs. Prior to the HITECH Act, covered entities were not subject to CMPs for violations by an agent who was also a business associate acting under a compliant business associate agreement. Marketing and Sale of PHI Marketing of PHI The Final Rule requires an individual s authorization for a communication when a covered entity receives financial remuneration from a third party in exchange for marketing the third party s product or service. Exceptions apply for certain costs related to refill reminders and other communications about currently prescribed drugs. Promotions of health in general and the promotion of government-sponsored programs are also permitted without authorization. The Privacy Rule requires a covered entity to obtain a valid authorization from an individual before using or disclosing PHI to market a product or service to such individual (a)(3). Section of the Privacy Rule defines marketing as making a communication that encourages the recipient to purchase or use a certain product or service. The Final Rule implements Section 13406(a) of the HITECH Act, which limits the communications that may be considered health care operations and are, therefore, excepted from the definition of marketing and which includes an exception for communications that describe only a drug or biologic currently prescribed to the individual, as long as any remuneration received in exchange for making the communication is reasonable in amount. Sale of PHI Consistent with Section 13405(d) of the HITECH Act, the Final Rule generally prohibits a covered entity or business associate from receiving direct or indirect remuneration in exchange for the disclosure of PHI, unless the covered entity or business associate has obtained authorization from the individual. The Final Rule defines sale of PHI to mean a disclosure of PHI by a covered entity or business associate, if applicable, where the covered entity or business

12 associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. Notably, this definition makes the sale provisions applicable to all disclosures in exchange for remuneration even if the sale transaction does not involve the transfer of ownership of PHI such as in the context of a license or lease agreement. However, the sale of PHI does not encompass certain funding arrangements, such as grants or incentive payments from a government agency for programs that require the reporting of PHI as a condition of funding, or the exchange of PHI through a health information exchange (HIE) that is paid for through fees assessed on HIE participants. GINA GINA prohibits employers and health insurance plans from discrimination on the basis of genetic information. To implement the requirements of GINA, the Final Rule adds genetic information to the definition of health information and prohibits the use or disclosure of genetic information for underwriting purposes. A plan may still use genetic information to determine medical appropriateness when a participant or dependent seeks a benefit under the plan. Finally, health plans are required to revise their NPPs to include an appropriate statement regarding their GINA restrictions. Conclusion The Final Rule will require covered entities and business associates to engage in a variety of activities to update policies, procedures, forms, NPPs, and actual practices to comply with the new requirements. In addition, to ensure HIPAA compliance, covered entities and business associates should train their workforce regarding the various updates. Additionally, to complement these efforts, and as required by the Security Rule, covered entities and business associates should take this opportunity revisit their security risk assessments, address any identified vulnerabilities, and document their analysis. Although it is not written in the regulations themselves or the Federal Register, it is likely that the release of the Final Rule will trigger a new era of HIPAA enforcement. Indeed, HIPAA enforcement already increased considerably following the issuance of the HITECH Act, and the OCR has made numerous statements over the last several years indicating that it takes its enforcement role very seriously. Accordingly, covered entities and business associates should act swiftly and comprehensively in their efforts to update applicable HIPAA programs and to ensure ongoing compliance Authors Ms. Kannensohn and Mr. Kottkamp are each Partners in the Health Care Group of McGuireWoods LLP. The authors would like to thank Holly Carnell, Mary DeBartolo, Vincent Dongarra, Amanda Enyeart, Allison

13 Harms, Drew McCormick, and Lindzi Timberlake for their assistance with this article.

Highlights of the Omnibus HIPAA/HITECH Final Rule

Highlights of the Omnibus HIPAA/HITECH Final Rule Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737

More information

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions

More information

Management Alert Final HIPAA Regulations Issued

Management Alert Final HIPAA Regulations Issued Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,

More information

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

The wait is over HHS releases final omnibus HIPAA privacy and security regulations The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.

More information

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,

More information

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background

More information

To: Our Clients and Friends January 25, 2013

To: Our Clients and Friends January 25, 2013 Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.

More information

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement

More information

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes

More information

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability

More information

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners 2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and

More information

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!

More information

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq. The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance I. INTRODUCTION Patricia A. Markus, Esq. AHLA Hospitals and Health Systems Law Institute February 13, 2013 On January 17, 2013, the

More information

AFTER THE OMNIBUS RULE

AFTER THE OMNIBUS RULE AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member

More information

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA

More information

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule

More information

HIPAA OMNIBUS FINAL RULE

HIPAA OMNIBUS FINAL RULE HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on

More information

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated

More information

New HIPAA-HITECH Proposed Regulations Issued

New HIPAA-HITECH Proposed Regulations Issued July 2010 New HIPAA-HITECH Proposed Regulations Issued On Thursday July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations in the Federal Register on many provisions

More information

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )

More information

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 168, 02/04/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

More information

MEMORANDUM. Kirk J. Nahra, or

MEMORANDUM. Kirk J. Nahra, or MEMORANDUM TO: FROM: Interested Parties Kirk J. Nahra, 202.719.7335 or knahra@wileyrein.com DATE: January 28, 2013 RE: The HIPAA/HITECH Omnibus Regulation After almost four years, the Department of Health

More information

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Amanda M. Buzo Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020

More information

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative

More information

Highlights of the Final Omnibus HIPAA Rule

Highlights of the Final Omnibus HIPAA Rule Highlights of the Final Omnibus HIPAA Rule Health Information & the Law Project 1 Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH Devi Mehta, JD, MPH Elizabeth Gray, JD Teresa Cascio, JD Grace Im,

More information

Changes to HIPAA Privacy and Security Rules

Changes to HIPAA Privacy and Security Rules Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN

More information

Getting a Grip on HIPAA

Getting a Grip on HIPAA Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy

More information

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment

More information

HHS, Office for Civil Rights. IAPP October 11, 2012

HHS, Office for Civil Rights. IAPP October 11, 2012 HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities

More information

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Health Care Focus March 2013 HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Peggy L. Barlett 608.284.2214 pbarlett@gklaw.com M. Scott LeBlanc 414.287.9614 sleblanc@gklaw.com

More information

Fifth National HIPAA Summit West

Fifth National HIPAA Summit West Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for

More information

ACC Compliance and Ethics Committee Presentation February 19, 2013

ACC Compliance and Ethics Committee Presentation February 19, 2013 ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA

More information

Health Law Diagnosis

Health Law Diagnosis February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of

More information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice

More information

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013! Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,

More information

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information 45 CFR Part 164 Interim Final Rule Breach Notification for Unsecured Protected Health Information Full Preamble and Rule at http://edocket.access.gpo.gov/2009/pdf/e9-20169.pdf The Interim Final Rule also

More information

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally

More information

VOL. 0, NO. 0 JANUARY 23, 2013

VOL. 0, NO. 0 JANUARY 23, 2013 Health IT Law & Industry Report VOL. 0, NO. 0 JANUARY 23, 2013 Reproduced with permission from Health IT Law & Industry Report, 5 HILN 4, 01/23/2013. Copyright 2013 by The Bureau of National Affairs, Inc.

More information

ReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert

ReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert The business of relationships. SM Reed Smith Client Alert The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived Written by Brad M. Rostolsky, Nancy E. Bonifant, Salvatore

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:

More information

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement

More information

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com

More information

ARRA s Amendments to HIPAA Privacy & Security Rules

ARRA s Amendments to HIPAA Privacy & Security Rules ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health

More information

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013 HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable

More information

Interim Date: July 21, 2015 Revised: July 1, 2015

Interim Date: July 21, 2015 Revised: July 1, 2015 HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:

More information

OMNIBUS RULE ARRIVES

OMNIBUS RULE ARRIVES AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan

More information

1.) The Privacy Rule (Part 164, Subpart E)

1.) The Privacy Rule (Part 164, Subpart E) 1.) The Privacy Rule (Part 164, Subpart E) 164.500 Applicability 164.501 Definitions (health care operations, marketing, underwriting purposes, payment) 164.502 Uses and disclosures of protected health

More information

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy

More information

HIPAA Omnibus Final Rule and Research

HIPAA Omnibus Final Rule and Research Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy

More information

ARTICLE 1. Terms { ;1}

ARTICLE 1. Terms { ;1} The parties agree that the following terms and conditions apply to the performance of their obligations under the Service Contract into which this Exhibit is being incorporated. Contractor is providing

More information

Determining Whether You Are a Business Associate

Determining Whether You Are a Business Associate The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information

More information

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V. HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,

More information

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule February 21, 2013 Megan Hardiman Katten Muchin Rosenman LLP Chicago, Illinois 312.902.5488 megan.hardiman@kattenlaw.com

More information

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance

More information

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services

More information

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER] IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW Publication IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER] Author James B. Wieland 2012: Issue

More information

New HIPAA Rules and Implications for the Industry January 29, 2013

New HIPAA Rules and Implications for the Industry January 29, 2013 New HIPAA Rules and Implications for the Industry January 29, 2013 **Audio for this webinar streams through the web. Please make sure the sound on your computer is turned on. If you need technical assistance,

More information

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health

More information

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE Policy Preamble This privacy policy ( Policy ) is designed to

More information

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule The HIPAA Omnibus Rule NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives.

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts

More information

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )

More information

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.

More information

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

GUIDE TO PATIENT PRIVACY AND SECURITY RULES AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,

More information

Omnibus HIPAA Rule: Impact on Covered Entities

Omnibus HIPAA Rule: Impact on Covered Entities Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,

More information

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security

More information

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates

More information

HEALTH LAW ALERT January 21, 2013

HEALTH LAW ALERT January 21, 2013 HEALTH LAW ALERT January 21, 2013 Omnibus Privacy Rule Issued HHS Imposes More Stringent Breach Notification Standard Requires Changes to Privacy Notices, Business Associate Agreements On Thursday, the

More information

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients

More information

H E A L T H C A R E L A W U P D A T E

H E A L T H C A R E L A W U P D A T E L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.

More information

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below. Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy

More information

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know 1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013

More information

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again ClientAdvisory The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again February 26, 2009 On February 17, 2009, President Obama signed into

More information

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into by and between Washington Dental Service

More information

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),

More information

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. HIPAA stands for Health Insurance Portability and Accountability

More information

Interpreters Associates Inc. Division of Intérpretes Brasil

Interpreters Associates Inc. Division of Intérpretes Brasil Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable

More information

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16 Compliance TODAY May 2013 a publication of the health care compliance association www.hcca-info.org Meet Scott Killingsworth Partner in the Atlanta offices of Bryan Cave LLP See page 16 25 Medicare Coverage

More information

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR Resource provided by Page 1 of 10 Contents I. The Privacy Rule The Fundamental HIPAA Rule... 1 II. Privacy Rule Overview... 1 III. Privacy Rule Standards and Implementation Specifications Covered in Section

More information

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013 HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance

More information

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Colorado Medical Society The HIPAA OMNIBUS RULE June 3, 2013 Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Agenda The HIPAA Omnibus Rule - a high level overview Effective dates SpeciLic

More information

HIPAA Compliance Under the Magnifying Glass

HIPAA Compliance Under the Magnifying Glass HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES January 23, 2014 I. Executive Summary I: The HIPAA Final Rule

More information

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida Containing the Outbreak: HIPAA Implications of a Data Breach Orlando, Florida www.lowndes-law.com Jason S. Rimes 2013 Lowndes, Drosdick, Doster, Kantor & Reed, P.A. All Rights Reserved Protected Health

More information

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H: BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( this Agreement ) is made and entered into as of this day of 2015, by and between TIDEWELL HOSPICE, INC., a Florida not-for-profit corporation,

More information

HIPAA Omnibus Rule. Employer Alert

HIPAA Omnibus Rule. Employer Alert Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 227, 2/11/13, 02/11/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

More information

LEGAL ISSUES IN HEALTH IT SECURITY

LEGAL ISSUES IN HEALTH IT SECURITY LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson

More information

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15) Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent

More information

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate) BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate) This HIPAA Business Associate Agreement ( Agreement ) is entered into this day of, 20, by and between

More information

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule Audio Seminar January 28, 2013 Practical Tools for Seminar Learning Copyright 2012 American Health Information Management Association.

More information

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM NEWSLETTER Volume Nine - Number One January 2013 The Final HIPAA HITECH Regulations: Making the Business Case for ERM A Special Expanded Edition of TRG enews When the proposed final rule was sent to the

More information

HITECH and Stimulus Payment Update

HITECH and Stimulus Payment Update HITECH and Stimulus Payment Update David S. Szabo Agenda HIPAA Breach Notification Rules HITECH and Meaningful Use Open Question Period 2 Data Security Breaches A total of 245,216,093 records containing

More information