HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Transcription

1 ASPPR

2

3 The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes in the final rulemaking provide the public with increased protection and control of personal health information. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

4 HIPAA OMNIBUS RULE This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented, said HHS Office for Civil Rights Director Leon Rodriguez. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.

5 The final rule also reduces burden by streamlining individuals ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

6 Areas (3) that CE will need to focus on to comply with the new rules : Privacy, Security, and Breach Notification policies and procedures (and in some cases, new workflows and forms); Notice of Privacy Practices (NPP); and Business Associate (BA) Agreements.

7 The new rules will likely require changes to a CE practice s HIPAA policies and procedures in at least the following areas: Data Breach notification requirements The obligation to notify patients if there is a breach of their PHI is expanded and clarified under the new rules. Breaches are now presumed reportable unless, after completing a risk analysis applying four factors, it is determined, that there is a low probability of PHI compromise.

8 The CV must consider all of the following four factors: 1. the nature and extent of the PHI involved issues to be considered include the sensitivity of the information from a financial or clinical perspective and the likelihood the information can be re-identified; 2. the person who obtained the unauthorized access and whether that person has an independent obligation to protect the confidentiality of the information; 3. whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis; and 4. the extent to which the risk has been mitigated, such as by obtaining a signed confidentiality agreement from the recipient.

9 The rebuttable presumption of breach and four factor assessment of the risk of PHI compromise replaces the previous, more subjective significant risk of financial, reputational, or other harm analysis for establishing a breach. The new rules further clarify that there is no need to have an independent entity conduct the risk assessment and indeed, no risk assessment need be conducted at all if the breach notification is made (although, physicians will want to undertake an appropriate review and steps to mitigate the harm and reduce the likelihood of future breaches in any case). The new rules further confirm that the breach notification requirement may be delegated to a BA, and physicians are encouraged to coordinate with their BAs so that patients receive only one notification of the breach.

10 The new rules do not modify the actual reporting and timeframe requirements for Breach Notification; that is, covered entities must still adhere to requirements for individual notification, HHS notification, and where applicable media posting of the breach.

11 The notification required by paragraph (a) of this section shall include, to the extent possible: (A) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (C) Any steps individuals should take to protect themselves from potential harm resulting from the breach; (D) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and (E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an address, Web site, or postal address.

12 Written notice. (i) Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. (ii) If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual

13 Notification to the media. a) For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in (a)(2), notify prominent media outlets serving the State or jurisdiction. b) Timeliness of notification. Except as provided in , a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.

14 Notification to the Secretary. (b) Breaches involving 500 or more individuals. For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in , provide the notification required by paragraph (a) of this section contemporaneously with the notice required by (a) and in the manner specified on the HHS Web site. (c) Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.

15 Notification by a business associate. General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach. Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).

16 BA - Timeliness of notification. Except as provided in , a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. Content of notification. (1) The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. (2) A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under (c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available.

17 Notification, Law enforcement delay If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall: (a) If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or (b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.

18 Administrative requirements and burden of proof Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at

19 Areas (3) that CE will need to focus on to comply with the new rules : Disclosures to health plans At the patient s request, physicians may not disclose information about care the patient has paid for out-of-pocket to health plans, unless for treatment purposes or in the rare event the disclosure is required by law. This change updates the previous HIPAA Privacy Rule governing patient requests for restrictions on the use or disclosure of their PHI. Previously, while physicians could refuse to abide by any such request, the new rule requires physicians and other health care providers to abide by a patient s request not to disclose PHI to a health plan for those services for which the patient has paid out-of-pocket and requests the restriction. Of all the changes made by the new rules, this change is likely to have the greatest impact on physician practice workflow both in terms of documentation and follow up to ensure the restriction is adhered to.

20 Marketing communications The new rules further limit the circumstances when physicians may provide marketing communications to their patients in the absence of the patient s written authorization. Generally speaking, the only time a physician may tell a patient about a third-party s product or service without the patient s written authorization is when: i. the physician receives no compensation for the communication; ii. iii. iv. the communication is face-to-face; the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication (no profit); the communication involves general health promotion, rather than the promotion of a specific product or service; or v. 5) the communication involves government or government-sponsored programs. vi. Physicians are also still permitted to give patients promotional gifts of nominal value (e.g., pamphlet).

21 Sale of protected health information: (A) Except pursuant to and in compliance with (a)(4), a covered entity or business associate may not sell protected health information. (B) For purposes of this paragraph, sale of protected health information means: a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.

22 Sale of protected health information does not include a disclosure of protected health information: I. For public health purposes II. III. For research purposes pursuant t (i) or (e), where the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes; IV. For treatment and payment purposes pursuant to (a); V. For the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph (6)(iv) of the definition of health care operations and pursuant to (a);

23 Sale of protected health information does not include a disclosure of protected health information vi. To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor, pursuant to (e) and (e), and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities; vii. To an individual, when requested under or ; viii. For any other purpose permitted by and in accordance with the applicable requirements of this subpart, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.

24 Decedents The new rules allow physicians to make relevant disclosures to the deceased s family and friends under essentially the same circumstances such disclosures were permitted when the patient was alive; that is, when these individuals were involved in providing care or payment for care and the physician is unaware of any expressed preference to the contrary. The new rule also eliminates any HIPAA protection for PHI 50 years after a patient s death.

25 Copies of e-phi Physicians will now have only 30 days to respond to a patient s written request for his or her PHI with one 30-day extension, regardless of where the records are kept (eliminating the longer 60-day timeframe for records maintained offsite). They must provide access to EHR and other electronic records in the electronic form and format requested by the individual if the records are readily reproducible in that format. Otherwise, they must provide the records in another mutually agreeable electronic format. Hard copies are permitted only when the individual rejects all readily reproducible e-formats.

26 ing PHI Physicians must also consider transmission security, and may send PHI in unencrypted s only if the requesting individual is advised of the risk and still requests that form of transmission.

27 Charging for copies of e-phi or PHI The new rules modify the costs that may be charged to the individual for copies to include labor costs (potentially to include skilled technical labor costs for extracting electronic PHI and supply costs if the patient requests a paper copy, or if electronic, the cost of any portable media (such as a USB memory stick or a CD), assuming state law does not set a lower reimbursement rate. The rules also clarify that physicians may impose a separate charge for creating an affidavit of completeness.

28 OMNIBUS RULE Research authorizations The new rules permit physicians to combine conditioned and unconditioned authorizations for research participation, provided individuals can opt-in to the unconditioned research activity. Moreover, these authorizations may encompass future research.

29 OMNIBUS RULE Notice of Privacy Practices (NPP) Cover Entities must amend their NPPs to reflect the changes set forth above, including those related to breach notification, disclosures to health plans, and marketing and sale of PHI. To the extent physicians engage in fundraising, they will also have to amend their NPP to inform patients of their right to opt-out of those communications. As the rules presume these are all material changes, physicians will have to post the revised NPP, and make copies available at their office, to all new patients and to anyone else on request. Cover Entities who maintain a website are cautioned to post the updated NPP on their website as required by the existing HIPAA Privacy rule. The new rules also eliminate requirements to include information on communications concerning appointment reminders, treatment alternatives, or health-related benefits or services in NPPs, but the rules do not require that that information be removed either.

30 OMNIBUS RULE Business Associates (BAs) The new rules expand the universe of individuals and companies that must be treated as business associates to include Patient Safety Organizations and others involved in patient safety activities, health information organizations like e-prescribing gateways or health information exchanges that transmit and maintain PHI, and personal health record vendors physicians sponsor for their patients. Thus, physicians must review their relationships and determine if they must enter new BA agreements with these entities or others that create, receive, store, maintain, or transmit PHI on their behalf.

31 OMNIBUS RULE Business Associates (BAs) These rules also modify the requirements for BA agreements: Physicians no longer must report failures of their BAs to the government when termination of the agreement is not feasible, as HHS has concluded that the BA s direct liability for these violations is sufficient. BAs are now responsible for their subcontractors. BAs must comply with the Security and Breach Notification Rules. Physicians are liable for the actions of their BAs who are agents, but not for the actions of those BAs that are independent contractors.

32 OMNIBUS RULE BA agreements that have not been renewed or modified between March 26, 2013, and September 23, 2013, will be deemed compliant until the date the BA agreement is renewed or modified or until September 22, 2014, whichever is earlier

33 OMNIBUS RULE Business associate contracts. A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

34 OMNIBUS RULE Business associate contracts. A contract between the covered entity and a business associate must: (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by ; (D) In accordance with (e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

35 OMNIBUS RULE Business associate contracts. A contract between the covered entity and a business associate must: (ii) Provide that the business associate will: (E) Make available protected health information in accordance with ; (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with ; (G) Make available the information required to provide an accounting of disclosures in accordance with ; (H) To the extent the business associate is to carry out a covered entity's obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation

36 OMNIBUS RULE Business associate contracts. A contract between the covered entity and a business associate must: (ii) Provide that the business associate will: (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with ; (G) Make available the information required to provide an accounting of disclosures in accordance with ; (H) To the extent the business associate is to carry out a covered entity's obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation.

37 OMNIBUS RULE Business associate contracts. A contract between the covered entity and a business associate must: (ii) Provide that the business associate will: (I) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and (J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. (iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

38 OMNIBUS RULE The new rules also implement the Genetic Information Nondiscrimination Act (GINA), which generally prohibits health plans from using genetic information for underwriting purposes

39 OMNIBUS RULE Genetic information means: (1) Subject to paragraphs (2) and (3) of this definition, with respect to an individual, information about: (i) The individual's genetic tests; (ii) The genetic tests of family members of the individual; (iii) The manifestation of a disease or disorder in family members of such individual; or (iv) Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual. (2) Any reference in this subchapter to genetic information concerning an individual or family member of an individual shall include the genetic information of: (i) A fetus carried by the individual or family member who is a pregnant woman; and (ii) Any embryo legally held by an individual or family member utilizing an assisted reproductive technology. (3) Genetic information excludes information about the sex or age of any individual.

40 OMNIBUS RULE Lcda. Ivonne I Rivera ivonneivelisse@gmail.com

41 este Alfonso, siempre quiere ir primero Alfonso Julio Yamila