GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do
|
|
- Valerie Johns
- 6 years ago
- Views:
Transcription
1 GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned by Thompson Publishing. Republished by permission. i
2 Guide to the HIPAA Omnibus Rule: What You Need to Know and Do By D'Arcy Guerin Gue, with Steven J. Fox* Almost 12 years to the month since the Department of Health and Human Services issued the first HIPAA privacy and security rules, a much-expanded "omnibus" rule was released on Jan. 17, HHS coined the term "omnibus" to indicate that the new rule includes four component rules: Final provisions that expand the HIPAA privacy, security and enforcement rules, as mandated in the Health Information Technology for Economic and Clinical Health Act (HITECH) of HITECH was a major element of the American Recovery and Reinvestment Act of 2009 (ARRA), commonly known as the economic stimulus package. The final rule on Breach Notification for Unsecured Protected Health Information, which changes significant elements of a 2009 interim rule. The final HIPAA enforcement rule, which expands HHS' enforcement powers, again, as mandated by the HITECH Act. The final rule modifying the HIPAA privacy rule, as mandated by the Genetic Information Nondiscrimination Act (GINA) of The omnibus rule went into effect on March 26, Overview The omnibus rule, published in the Jan. 25 Federal Register, presented extensive revisions in HIPAA privacy and security requirements (78 Fed. Reg. 5566). While many of the changes are technical details, many others are major and far-reaching. The text of the lengthy document is necessarily complex, given its regulatory intentions, but it is possible to identify at least three broad themes embodied in the new rule: HHS gives patients and their rights central priority, within its long-term vision of an integrated health care environment where HITECH's "meaningful use" of electronic health records will be fully realized. Several provisions of the new rule focus on enhancing security of "protected health information" (PHI), increasing patient privacy, and expanding patients' access to, and control of, their personal health records. On the other hand, the obligations of covered entities under HIPAA have expanded. In a dramatic turnabout, business associates are now subject to most of these obligations, including paying penalties. The rule also mandates greater restrictions on uses and disclosures of PHI, business associate agreements, and breach assessment and notification. HHS has assumed greater reach in enforcement powers and overall authority. It has reduced the level of regulated entities' discretion in identifying breaches and has amplified breach notification requirements. HHS' authority now extends to business associates, making them directly liable for HIPAA compliance. HHS' authority also reaches any subcontractors that touch or store PHI. Finally, genetic information has now been added to the PHI data mix. *Ms. Gue and Mr. Fox are the original authors of Thompson's Guide to Medical Privacy & HIPAA. 1 3
3 New Liability of Business Associates and Subcontractors Adds Extensive Obligations The omnibus rule expanded the HIPAA obligations of business associates, making them directly responsible for adhering to most privacy and security provisions. As with covered entities, business associates are now subject to the same penalties for noncompliance. HHS has amended the security rule to require business associates, like covered entities, to conduct a risk analysis, implement a security plan, and appoint a Security Officer. In a giant step, the rule defines "business associates" far more broadly than in the past, and includes any entities that create, receive, maintain or transmit PHI on behalf of a covered entity. "Maintain" is a new criterion, and will likely include a new group of vendors, such as document storage organizations. HHS has created a new business associate chain: subcontractors of business associates are now responsible for PHI protection and are defined as business associates if they create, receive, maintain or transmit PHI. Further, their subcontractors are pulled into the chain if they meet the same criteria. All have the same compliance obligations under HIPAA that business associates have. Just as covered entities are held responsible for breaches or violations of their business associates, so, now, "first level" or primary business associates are held responsible for the compliance of their subcontractors. Every connected contractor and subcontractor is now directly liable to HHS for breaches. It should be noted that vendors that transmit PHI on behalf of covered entities are not considered to be business associates if they are simply "conduits" that do not routinely access PHI. Internet service providers are likely to be such conduits. Fortunately for covered entities, they do not have to enter into a business associate agreement (BAA) with business associates' subcontractors. But, BAAs are still required between covered entities and their business associates, even though the latter now are held directly accountable for HIPAA compliance. These "primary" business associates also must develop BAAs with all their relevant subcontractors, and covered entities must require their business associates to do so. Note that if an entity meets the definition of a business associate, the entity is liable for HIPAA violations, even if it has not entered into a business associate agreement. Patients' Rights Are Expanded, Creating New Responsibilities for Regulated Entities One focus of the omnibus rule was to support patients' participation in the health care environment. The rule increases patients' access to their health records, and provides them greater latitude in restricting disclosures and uses of PHI. Initially, this creates some additional burdens on covered entities and business associates. Patient Requests If an individual asks a covered entity for an electronic copy of his or her PHI, the omnibus rule requires covered entities to provide it - assuming the information is maintained in an electronic record. The individual also may have a copy of the PHI sent electronically to another person he or she designates. The preamble to the omnibus rule suggests that covered entities must invest in electronic information technology so that they can meet this requirement, echoing HITECH's mandate for meaningful use of electronic health records. 2
4 The rule also parallels HITECH in requiring health care providers to meet patient requests to not disclose to a health plan (or a health plan's business associate) any PHI that is related to items or services for which the patient has fully paid out of pocket. Providers don't have to create separate medical records, as long as they prevent the disclosure. Many electronic systems may not have the ability to single out areas of a record and restrict access to specific individuals. Organizations may have to work with their vendors to complete necessary systems and procedural changes to comply with access restriction requests. Marketing and Sale of PHI The original privacy rule required patient authorization to use or disclose PHI for marketing purposes, but made an exception for such uses and disclosures when they were part of "health care operations." The omnibus rule is more restrictive, requiring individual authorizations for any treatment communications if the covered entity (or a business associate) receives financial remuneration for the subject product or service. The rule includes both direct and indirect remuneration (a payment channeled through a third party). HHS makes an exception for refill reminders or communications about current prescriptions, if the third party subsidy is reasonable. The omnibus rule has adopted HITECH's prohibition of the sale of PHI - defined as the exchange of anything of value (remuneration) for PHI. There are limited exceptions, including disclosure for public health purposes, research purposes, and treatment and payment purposes. Our Recommendations: First Steps to Take Toward Compliance If they haven t already done so, we recommend that affected parties undertake these planning initiatives and follow through on implementation: Gap analysis. Covered entities and business associates should complete a thorough gap analysis to determine which policies, procedures, and documentation (such as notices of privacy practices and subsidized marketing agreements) must be updated in accordance with the omnibus rule. From the gap analysis, the organization will be able to determine the scope of necessary changes, and plan accordingly. Implementation plan. Business associates and their subcontractors should initiate plans for implementing a HIPAA compliance program, if they have not done so. This work should begin with a vetting process by business associates, probably with the assistance of the related covered entity, to determine which contractors and subcontractors are applicable. Then, a plan should be created for performing or redoing related risk analyses, creating a timeline for developing and executing security plans, and setting a timeline for development and implementation of new business associate agreements. Business associate agreements. Covered entities should develop a plan to revise all existing BAAs. Forms. Covered entities should plan to create or revise all forms that apply to provisions in the rule. These include, but are not limited to: requests for PHI access; requests to limit PHI release; and authorization forms addressing marketing, research, sale of PHI, and fundraising communications. Workforce training. All regulated entities should consider timing and execution of applicable workforce training programs. 3 1
5 Fundraising In the past, use of clinical information in fundraising communications by not-for-profit organizations was prohibited; covered entities were limited to using demographic and certain insurance data. Acknowledging that use of more substantive data could enhance the value of fundraising efforts, HHS expanded the information that organizations may use to include certain PHI. This information is limited to disclosures of the department that served the patient, his or her physician's identity, and general information about treatment outcomes. The fundraising value of these new permissions is significant: individuals can be targeted because of their experience in specific clinical situations or departments, and fundraising appeals can be sent in the name of a former patient's physician. The rule emphasizes that covered entities must provide patients with a "clear and conspicuous" notice of their right to opt out of future fundraising communications, and offer a reasonably convenient way to do so. Fundraising entities are required to honor individuals' opt out requests, though they may provide a method to opt back in to the communications. Research In the past, HIPAA required separate individual authorizations to use PHI for research projects, depending on whether the authorization was "conditioned" or "unconditioned." In response to researchers' concerns about prohibitive paperwork, the omnibus rule now permits them to combine conditioned and unconditioned authorizations into one form. The document must clearly offer individuals the option to opt in to the unconditioned authorization, and researchers must abide by their decisions. PHI of Decedents The omnibus rule focuses on the PHI of deceased individuals in two areas, in order to address practical concerns of both covered entities and relatives of decedents. The original privacy rule allowed covered entities to disclose information about a decedent only to a personal representative. The omnibus rule expanded such disclosures to family members and others who were involved in the care or payment for care of the decedent before death, and who likely had access to the individual's PHI during that time. However, if the covered entity knows of any conflicting, expressed wishes of the decedent, such disclosures are not allowed. Previously, covered entities were required to protect deceased individuals' PHI indefinitely. HHS has acknowledged that locating a personal representative to authorize use or disclosure of a decedent's PHI can become impractical over time. The new rule limits the period PHI must be protected to 50 years after the individual's death, suggesting that this is sufficient to protect the privacy interests of most living relatives. Immunization Records In support of public health concerns, the omnibus rule makes it easier for schools to receive proof of students' immunizations. Covered entities now may disclose immunization records of students or prospective students to schools, if required by law. However, they must obtain and document the parent or guardian's agreement, which may be received either orally or in writing. Genetic Information HHS expanded HIPAA's reach relative to protected data to now include genetic information within the definition of PHI. This change reflects requirements under the Genetic Information 4
6 Nondiscrimination Act of 2008 (GINA). As in GINA, the omnibus rule provides that health plans may not use or disclose genetic information for underwriting purposes. In addition, health plans' notices of privacy practices must now specifically reference this prohibition. New Breach Provisions Likely to Increase Breach Notifications In a move seemingly designed to increase the number of breach notifications, HHS eliminated the risk of harm standard in the final omnibus rule, modified the definition of "breach" and altered the risk assessment analysis that entities must perform for each potential breach. Previously, an entity had to determine whether a breach posed a significant risk of financial, reputational or other harm to an individual. Admittedly, this permitted subjective analysis by the covered entity; however, HHS does not provide any evidence in support of its claim that "some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set." To lower that threshold, HHS changed the definition of "breach" so that any impermissible use or disclosure of PHI is now presumed to be a breach, unless the covered entity or business associate demonstrates low probability that the PHI has been compromised. HHS acknowledges that there remain several situations in which the unauthorized acquisition, access, use or disclosure of PHI is so inconsequential that it does not amount to a breach or warrant notification. The comments even give an example of a misdirected fax containing PHI, where the recipient physician immediately calls to say he has destroyed it, and notes that even though this situation does not fit into any of the statutory or regulatory exceptions, the covered entity "may be able to demonstrate after performing a risk assessment that there is a low risk that the protected health information has been compromised." The new risk assessment, instead of looking at the risk of harm to the individual, focuses on the probability that PHI has been compromised based on a consideration of at least the following four factors (plus additional unspecified factors as deemed appropriate by the covered entity): the nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated. HHS believes that this type of assessment will result in a more objective evaluation of the risk to the PHI and a more uniform application of the rule. One final note: HHS also removed the exception for limited data sets that do not contain any dates of birth and ZIP codes. So if there is an impermissible use or disclosure of such a limited data set, even one without birth dates and ZIP codes, a risk assessment that evaluates the factors discussed above must still be performed to determine if breach notification is required. Finally, HHS notes that covered entities and business associates are encouraged to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other PHI, pursuant to the 2009 Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742). If PHI is thus encrypted, then no breach notification is required following an impermissible use or disclosure of PHI. Clearly, that is the safest route to take. 5 3
7 Notice of Privacy Practices As a result of various changes in the rule, covered entities must update and redistribute their notices of privacy practices (NPP). Notices should reflect the rule's provisions concerning: certain individual rights regarding uses and disclosures that require authorization, such as marketing, sale of PHI, fundraising and research; for providers only, the individual's right to restrict disclosures to health plans, when he or she has paid out of pocket for an item or service; an affected individual's right to be notified of a breach of PHI; other uses and disclosures not described in the NPP that require authorization; and for health plans only, the prohibition against considering genetic information in underwriting. New Breach Notification Process Is More Objective and Very Stringent Until now, the guiding HIPAA standard for determining if an improper use or disclosure of PHI qualified as a breach was whether there was significant risk of harm to an individual. Covered entities, after appropriate assessment, were allowed to make this determination. HHS has since rejected this level of discretion and eliminated it in the new rule. The rule now requires an assessment of whether the security incident compromises the privacy and security of PHI; the harm standard is no longer a factor (see detailed discussion, p. 5). HHS' HIPAA Enforcement Powers Hit Harder and Go Farther Many of HHS' enforcement powers as defined in the omnibus rule were already assembled under the HITECH Act and the interim enforcement rule of Broadly speaking, HHS expanded its ability to enforce HIPAA to a longer chain of regulated entities, defined stricter enforcement criteria, and increased penalties for violations. Business associates have come under the penalty umbrella, and like covered entities, are directly subject to financial penalties. If a subcontractor of a business associate meets HHS' definition of an agent and commits a violation, the business associate may be liable for penalties, depending on the latter's authority to manage the relationship. HHS makes it clear that it will investigate any complaint when a preliminary review, or an independent HHS inquiry, indicates a possible violation due to willful neglect. However, if there are not indications of willful neglect, HHS will rely on informal, voluntary actions to seek compliance. In determining the amount of civil money penalties, HHS now considers the following factors: the nature and extent of the violation, the nature and extent of harm, the entity's history of prior compliance, and the financial condition of the entity. The rule formally adopts the HIPAA civil money penalty structure as increased by the HITECH Act, and sets the same categories for levels of violations. 6
8 Violation Category Each Violation All Identical Violations Per Calendar Year For violations occurring before 2/18/2009 For violations occurring on or after 2/18/2009 For violations occurring before 2/18/2009 For violations occurring on or after 2/18/2009 Did Not Know Up to $100 $100 - $50,000 Reasonable Cause Up to $100 $ $50,000 Willful Neglect - Corrected Up to $100 $10,000 - $50,000 $25,000 $1,500,000 Willful Neglect - Not Corrected Up to $100 $50,000 Authors D'Arcy Guerin Gue is vice president of industry relations for Phoenix Health Systems, a division of Medsphere Systems Corporation and a leading provider of health care information technology outsourcing, consulting and project management. She has written on many health care IT issues over her 25 year career, with a special emphasis on HIPAA information privacy and security, Meaningful Use, ICD-10 and other industry initiatives. Steven J. Fox, Esq., is a principal with Post & Schell, PC, a national law firm serving clients throughout the United States, where he is chair of the Information Technology Group and co-chair of the Data Protection Group. An acknowledged authority on health IT, Mr. Fox assists clients with legal issues and strategic counseling involving technology, licensing of health care information systems, data privacy matters and health care regulatory compliance. Copyright 2013 by Thompson Information Services. All rights reserved. Photocopying without the publisher's consent is strictly prohibited. Consent needs to be granted to reproduce individual items for personal or internal use by the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule
Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationHighlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationThe wait is over HHS releases final omnibus HIPAA privacy and security regulations
The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under
More informationTo: Our Clients and Friends January 25, 2013
Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health
More informationHIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules
HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationManagement Alert Final HIPAA Regulations Issued
Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,
More informationMEMORANDUM. Kirk J. Nahra, or
MEMORANDUM TO: FROM: Interested Parties Kirk J. Nahra, 202.719.7335 or knahra@wileyrein.com DATE: January 28, 2013 RE: The HIPAA/HITECH Omnibus Regulation After almost four years, the Department of Health
More informationCLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors
CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )
More informationHIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school
ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes
More informationLegal and Privacy Implications of the HIPAA Final Omnibus Rule
Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,
More informationGetting a Grip on HIPAA
Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy
More informationCompliance Steps for the Final HIPAA Rule
Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
More informationHHS, Office for Civil Rights. IAPP October 11, 2012
HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities
More informationSATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE
SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health
More informationChanges to HIPAA Under the Omnibus Final Rule
Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services
More informationHayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA
More information8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013
HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable
More informationHIPAA Omnibus Final Rule and Research
Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy
More informationWhat Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.
What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. HIPAA stands for Health Insurance Portability and Accountability
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationHealth Law Diagnosis
February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives.
More informationPreparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013
Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients
More informationCompliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16
Compliance TODAY May 2013 a publication of the health care compliance association www.hcca-info.org Meet Scott Killingsworth Partner in the Atlanta offices of Bryan Cave LLP See page 16 25 Medicare Coverage
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.
More informationACC Compliance and Ethics Committee Presentation February 19, 2013
ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy
More informationCoping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!
Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,
More informationCompliance Steps for the Final HIPAA Rule
Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule
More informationChanges to HIPAA Privacy and Security Rules
Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN
More informationICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg
ICAHN Presentation Final Omnibus Rule and Security Risk Analysis July 26, 2013 David Ginsberg PrivaPlan Associates, Inc. PrivaPlan Associates, Inc. is the leading authority in HIPAA Privacy and Security
More informationHIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights
HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationHITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government
HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated
More informationHITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013
HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance
More informationHIPAA OMNIBUS FINAL RULE
HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on
More informationNew HIPAA-HITECH Proposed Regulations Issued
July 2010 New HIPAA-HITECH Proposed Regulations Issued On Thursday July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations in the Federal Register on many provisions
More informationHEALTH LAW ALERT January 21, 2013
HEALTH LAW ALERT January 21, 2013 Omnibus Privacy Rule Issued HHS Imposes More Stringent Breach Notification Standard Requires Changes to Privacy Notices, Business Associate Agreements On Thursday, the
More informationHITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule
HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule Audio Seminar January 28, 2013 Practical Tools for Seminar Learning Copyright 2012 American Health Information Management Association.
More informationFifth National HIPAA Summit West
Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for
More informationHIPAA Omnibus Rule Compliance
HIPAA Omnibus Rule Compliance Jana Aagaard, JD Senior Counsel, Privacy/HIT Dignity Health Christy Navarro, MS CIPP/US Director, Chief Privacy Officer - Ascendian 1 Overview Background What Should Be Done
More informationSaturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules
Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.
More informationColorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.
Colorado Medical Society The HIPAA OMNIBUS RULE June 3, 2013 Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Agenda The HIPAA Omnibus Rule - a high level overview Effective dates SpeciLic
More informationHighlights of the Final Omnibus HIPAA Rule
Highlights of the Final Omnibus HIPAA Rule Health Information & the Law Project 1 Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH Devi Mehta, JD, MPH Elizabeth Gray, JD Teresa Cascio, JD Grace Im,
More informationHIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule
HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com
More informationNew HIPAA Rules and Implications for the Industry January 29, 2013
New HIPAA Rules and Implications for the Industry January 29, 2013 **Audio for this webinar streams through the web. Please make sure the sound on your computer is turned on. If you need technical assistance,
More information2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners
2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and
More informationO n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report
Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 168, 02/04/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
More informationNPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH
NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationHIPAA & The Medical Practice
HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,
More informationBREACH NOTIFICATION POLICY
PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities
More informationHIPAA Final Omnibus Rule Playbook
DOWNLOADABLE GUIDE HIPAA Final Omnibus Rule Playbook Your Ticket to Winning the Compliance Game Offensive Plays HIPAA Privacy Rule Defensive Plays HIPAA Security Rule Special Team Plays Breach Notification
More informationThe HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.
The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance I. INTRODUCTION Patricia A. Markus, Esq. AHLA Hospitals and Health Systems Law Institute February 13, 2013 On January 17, 2013, the
More informationHIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017
HIPAA & HITECH Privacy & Security Volunteer Annual Review 2017 HIPAA In 1996, state and federal governments enacted protection for patient health information by signing into law the Health Insurance Portability
More informationAssessing and Mitigating Risk Under the HIPAA Omnibus Rule
Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta
More informationAssessing and Mitigating Risk Under the HIPAA Omnibus Rule
Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationVOL. 0, NO. 0 JANUARY 23, 2013
Health IT Law & Industry Report VOL. 0, NO. 0 JANUARY 23, 2013 Reproduced with permission from Health IT Law & Industry Report, 5 HILN 4, 01/23/2013. Copyright 2013 by The Bureau of National Affairs, Inc.
More informationALERT. November 20, 2009
ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made
More information"HIPAA RULES AND COMPLIANCE"
PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS
More informationHITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort
Slide 1 HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort Slide 2 Electronic Copy of PHI Form and Format requested, if readily producible
More informationARRA s Amendments to HIPAA Privacy & Security Rules
ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health
More informationWhat is HIPAA? (1 of 2)
HIPAA 1 HIPAA On August 21 1996 the federal government passed the Health Information Portability and Accountability Act of 1996 Has been update throughout; with the newest update (Final Rule) going into
More informationOmnibus HIPAA Rule: Impact on Covered Entities
Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,
More informationHIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102a What You Don t Know About HIPAA Privacy and Security Can Really Hurt You! Revision 2015 Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) About Myself - Jack Kolk, CEO
More informationHIPAA Enforcement Under the HITECH Act; The Gloves Come Off
HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are
More informationNEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM
NEWSLETTER Volume Nine - Number One January 2013 The Final HIPAA HITECH Regulations: Making the Business Case for ERM A Special Expanded Edition of TRG enews When the proposed final rule was sent to the
More informationHIPAA Omnibus Rule. Employer Alert
Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 227, 2/11/13, 02/11/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
More informationHIPAA Privacy Overview
HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview
More informationOMNIBUS RULE ARRIVES
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan
More informationThe Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure
The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )
More informationHIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security
More informationHIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationAROC 2015 HIPAA PRIVACY AND SECURITY RULES
AROC 2015 HIPAA PRIVACY AND SECURITY RULES Presented by: Robert A. Paster, Esq. Brach Eichler L.L.C. 101 Eisenhower Parkway Roseland, NJ 07068 973-403-3144 rpaster@bracheichler.com www.bracheichler.com
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationBreach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule
Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance
More information1.) The Privacy Rule (Part 164, Subpart E)
1.) The Privacy Rule (Part 164, Subpart E) 164.500 Applicability 164.501 Definitions (health care operations, marketing, underwriting purposes, payment) 164.502 Uses and disclosures of protected health
More informationIT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]
IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW Publication IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER] Author James B. Wieland 2012: Issue
More informationInterim Date: July 21, 2015 Revised: July 1, 2015
HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:
More informationEffective Date: 4/3/17
HIPAA AND HITECH ADM 067.4 Attachment D Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule Health Information Technology for Economic and Clinical Health (HITECH)
More informationOmnibus Rule: HIPAA 2.0 for Law Firms
Omnibus Rule: HIPAA 2.0 for Law Firms Introduction On January 25, 2013, the U.S. Department of Health and Human Services (HHS) issued the muchanticipated Omnibus Rule 1 finalizing changes to the HIPAA
More informationInterpreters Associates Inc. Division of Intérpretes Brasil
Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable
More informationAn Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules Alden J. Bianchi Updated
More informationWelcome to today s Webinar
Welcome to today s Webinar Managing Risk Exposure in Meaningful Use Stage 2 June 28 28, 2013 A A project project of of L.A. L.A. Care Care Health Health Plan Plan 1 Ralph Oyaga, Esq., J.D., MBA is the
More informationSUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS
HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts
More informationOCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC
Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More informationGUIDE TO PATIENT PRIVACY AND SECURITY RULES
AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist
More informationHIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?
HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What
More informationHIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities
Health Care Focus March 2013 HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Peggy L. Barlett 608.284.2214 pbarlett@gklaw.com M. Scott LeBlanc 414.287.9614 sleblanc@gklaw.com
More informationThe Audits are coming!
HIPAA and Meaningful Use (MU) Governmental Program Audits The Audits are coming! The Audits are coming! 1 Audit Readiness Meaningful Use and HIPAA Both CMS and the Office for Civil Rights (OCR) have been
More information