Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Similar documents
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Management Alert Final HIPAA Regulations Issued

Highlights of the Omnibus HIPAA/HITECH Final Rule

Changes to HIPAA Under the Omnibus Final Rule

To: Our Clients and Friends January 25, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Compliance Steps for the Final HIPAA Rule

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

ReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

AFTER THE OMNIBUS RULE

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HHS, Office for Civil Rights. IAPP October 11, 2012

Getting a Grip on HIPAA

Compliance Steps for the Final HIPAA Rule

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

New HIPAA-HITECH Proposed Regulations Issued

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

ARRA s Amendments to HIPAA Privacy & Security Rules

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

ARTICLE 1. Terms { ;1}

Health Law Diagnosis

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

HIPAA OMNIBUS FINAL RULE

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

MEMORANDUM. Kirk J. Nahra, or

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

BUSINESS ASSOCIATE AGREEMENT

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Determining Whether You Are a Business Associate

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

OMNIBUS RULE ARRIVES

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HIPAA Omnibus Rule Compliance

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Fifth National HIPAA Summit West

Business Associate Agreement

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Welcome to today s Webinar

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Compliance Under the Magnifying Glass

HIPAA & The Medical Practice

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA Omnibus Final Rule and Research

Highlights of the Final Omnibus HIPAA Rule

ALERT. November 20, 2009

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

New HIPAA Rules and Implications for the Industry January 29, 2013

Examining The Unique POC Regulatory Landscape

HIPAA s New Rules: Expanding Scope, Clarifying Uncertainties, and Reinforcing Fundamentals

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

HIPAA BUSINESS ASSOCIATE AGREEMENT

Changes to HIPAA Privacy and Security Rules

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Business Associate Agreement For Protected Healthcare Information

Omnibus HIPAA Rule: Impact on Covered Entities

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

BREACH NOTIFICATION POLICY

VOL. 0, NO. 0 JANUARY 23, 2013

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

ARE YOU HIP WITH HIPAA?

HIPAA Business Associate Agreement

SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Negotiating Business Associate Agreements

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

ARRA 2009: Privacy and Security Provisions. Deven McGraw

HEALTHCARE BREACH TRIAGE

View the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA: Impact on Corporate Compliance

HIPAA BUSINESS ASSOCIATE AGREEMENT

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

Business Associate Agreement

Transcription:

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E. Bonifant Associate Reed Smith LLP nbonifant@reedsmith.com

Agenda Compliance Dates HIPAA Enforcement Breach Notification Rule Marketing Communications Sale of Protected Health Information Business Associate Compliance Individual Rights 2

Key Dates for Compliance Final Rule published January 25, 2013 Effective Date March 26, 2013 Breach Notification Rule enforced under Interim Final Rule until General Compliance Date General Compliance Date September 23, 2013 Exceptions: Business Associate Agreements Exceptions: Prescription Refill Reminders 3

Key Dates for Compliance (cont.) Enforcement Rule: March 26, 2013 Business Associate Agreements Grandfather period - through Sept. 22, 2014 unless BAA is modified or renewed New BAAs executed (or those modified/renewed) must meet Final Rule requirements by Sept. 23, 2013 Prescription Refill Reminders Grandfather period - through Sept. 23, 2014 if patient already enrolled in program, provided that patient has not opted out and the prescription has not been renewed 4

HIPAA Enforcement Global Considerations Say Goodbye to Voluntary Compliance! Security Rule Risk Assessment is a key component to successfully surviving an OCR investigation/inquiry This is reflected through direct statements and enforcement trends Final Rule mostly imports earlier changes from 2009 Interim Enforcement Final Rule and the 2010 HITECH Proposed Rule 5

HIPAA Enforcement (cont.) HITECH Enforcement CMP Levels Violation Category Each Violation All Identical Violations per Calendar Year Did Not Know $100 - $50,000 Reasonable Cause $1,000 - $50,000 Willful Neglect Corrected Willful Neglect Not Corrected $10,000 - $50,000 $1.5 million $1.5 million $1.5 million $50,000 $1.5 million 6

HIPAA Enforcement (cont.) For Violations due to Willful Neglect Investigation or compliance review will always be triggered whenever OCR s preliminary review indicates possible violation because of willful neglect OCR may now proceed immediately to penalties (no longer must try to first resolve noncompliance through informal means) Business associates now directly liable for CMPs 7

HIPAA Enforcement (cont.) Agency Relationships Covered entities now liable for the acts of their business associate agents Business associates liable for acts of their subcontractor agents OCR: Key consideration is control Affirmative Defenses Old Rule: No CMP where a violation is criminally punishable New Rule No CMP where a violation is criminally punished 8

HIPAA Enforcement (cont.) OCR (maybe) has less discretion in determining CMP amount Based on nature and extent of the violation and extent of the harm resulting from the violation OCR Guidelines for calculating CMPs Number of violations = number of individuals affected Number of violations = number of days safeguard not in place $1.5 million limit for identical violations in a calendar year applies to the legal entity constituting the covered entity Important when various business units within a covered entity suffer enforcement for identical violations Enforcement Perspective of OCR (relating to breaches) The government appreciates that loss and theft will occur Ultimately, when it does occur, OCR will focus on what was done preventively to best protect the involved PHI Does a covered entity/business associate have a good (and documented) reason as to why encryption was not used? 9

Breach Notification Rule History 2009 HITECH Act 2009 Interim Final Rule HITECH Final Rule Bulk of the Breach Notification rule has been left unchanged Notification of breach of unsecured PHI Media notice requirements (500+ individuals) Notice to OCR (including annual notice for less than 500 individuals) Content requirements of notice Timing of notice to individuals (without unreasonable delay but in no event later than 60 days after discovery) 10

Breach Notification Rule (cont.) Significant Change Definition of Breach HITECH Act definition Acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the privacy or security of PHI Interim Final Breach Notification Rule Further defined compromise Risk of harm analysis (financial, reputational, other harm) OCR (and industry) have noted challenges in applying this standard HITECH Final Rule Impermissible access, use, or disclosure under the Privacy Rule now presumed to be a breach unless it can be demonstrated that there is a low probability that the PHI has been compromised 11

Breach Notification Rule (cont.) Determination that there is a low probability that PHI has been compromised OCR provides four factors that must be weighed in making this determination 1. Nature and extent of the PHI involved (including the types of identifiers involved), and likelihood of re-identification Risk of Harm component? Not really consider the likelihood of re-identification based on PHI involved and the identity of recipient 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI was actually acquired or viewed 4. The extent to which the risk to the PHI has been mitigated Satisfactory assurances Additional OCR guidance to be published timing is unclear 12

Breach Notification Rule (cont.) Important Clarifications and Emphasis in Final Rule Limited Data Set exception removed Trigger for annual notification is date of discovery (not date of incident) Important for incidents that occur (but are not discovered) at the end of a calendar year Media notice does not require covered entities to buy ad space Notification time period is not within 60 days of discovery This is absolute latest a notification may be deemed compliant 13

Marketing Communications Former Privacy Rule To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service Treatment and certain health care operations communications excluded Final Rule Eliminates exceptions for financially remunerated treatment and health care operations communications Prior authorizations required when a covered entity receives financial remuneration in exchange for making a treatment communication 14

Marketing Communications (cont.) Financial Remuneration Defined as monetary direct or indirect payments from the third party whose product or service is being described Notably, financial remuneration does not include in-kind benefits Financial Remuneration and Business Associates If a business associate (or subcontractor) receives financial remuneration from a third party in exchange for making a communication about a product or service, that communication is marketing and requires an authorization 15

Marketing Communications (cont.) Two Critical Questions: 1. Is the covered entity or business associate receiving financial remuneration? 2. Is the covered entity or business associate receiving the financial remuneration for the purpose of making the communication? 16

Marketing Communications (cont.) Scope of Authorizations Need not be limited to communications describing a single product or service or services of a single third party A single authorization may apply to subsidized communications generally Exceptions to Authorization Requirement Remain Face-to-face communications Promotional gifts of nominal value 17

Marketing Communications Prescription Refill Reminder Exception Financially remunerated prescription refill reminders remain excluded if financial remuneration limited to reasonable costs of making the communication Recent Guidance from OCR Two-and-a-Half Critical Questions: 1. Is the communication about a currently prescribed drug or biologic? 2. Does the communication involve financial remuneration, and if so, is it reasonable? 18

Marketing Communications Prescription Refill Reminder Exception (cont.) Is the communication about a currently prescribed drug or biologic? Within Exception: Refill reminders about a drug or biologic that is currently being prescribed Communications regarding generic equivalents Communications about a recently lapsed prescription (i.e., within past 90 calendar days) Adherence communications For individuals who are prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system Not Within Exception: Communications about specific new formulations of a currently prescribed medicine Communications about specific adjunctive drugs related to the currently prescribed medicine Communications encouraging an individual to switch from a prescribed medicine to an alternative 19

Marketing Communications Prescription Refill Reminder Exception (cont.) Does the communication involve financial remuneration, and if so, is it reasonable? Within Exception: No financial remuneration involved Only non-financial or in-kind remuneration, such as supplies, computers, or other materials Only payments from a party whose product is not being described (and not on behalf of the party whose product is being described) Financial remuneration covers only the reasonable direct and indirect costs related to the refill reminder (i.e., labor, materials, and supplies, as well as capital and overhead costs) Involves payment to business associate assisting the covered entity, which is limited to the FMV of the business associate s services Not Within Exception: Involved financial remuneration not described above 20

Sale of Protected Health Information Sale of PHI Defined The disclosure of PHI by a covered entity (or business associate, if applicable) where the covered entity directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI Financial Remuneration Unlike marketing communications, remuneration includes financial payments as well as nonfinancial, in-kind benefits In Exchange For PHI Covered entity primarily being compensated to supply PHI Excludes remuneration in the form of grants and contracts to perform programs or activities that also involve the disclosure of PHI 21

Sale of Protected Health Information (cont.) General Prohibition: Sale of PHI is prohibited in the absence of an authorization that states the disclosure of PHI will result in remuneration to the covered entity Notable Exceptions - Regardless of the Amount of Remuneration: For public health purposes For treatment and payment purposes For the sale, transfer, merger or consolidation of all or part of the covered entity and for related due diligence As required by law 22

Sale of Protected Health Information (cont.) Notable Exceptions With Limits On Remuneration: For research purposes (provided the remuneration is limited to the covered entity s reasonable cost to prepare and transmit the PHI) To the individual to provide him/her with access to PHI or an accounting of disclosures (remuneration limited to permissible charges under Privacy Rule) To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor (remuneration must be for the actual performance of activities) For any other purpose permitted by or in accordance with the Privacy Rule (limited to a reasonable cost-based fee) 23

Business Associate Compliance Definition of Business Associate Expanded Health Information Organizations E-Prescribing Gateways Patient Safety Organizations Cloud Providers Business associate subcontractors Requires delegation of a function, activity, or service that involve the creation, receipt, maintenance, or transmission of PHI All the way down the chain 24

Business Associate Compliance (cont.) Direct Liability: Security Rule September 23, 2013: Business associates are directly liable for a failure to comply with the requirements of the Security Rule Direct Liability: Impermissible Uses and Disclosures of PHI and Business Associate Agreements Business associate s Privacy Rule obligations are tied to the uses and disclosures permitted and prohibited in the BAA But, a business associate s liability exposure is not tied to the existence of a BAA liability attaches when a person creates, receives, maintains or transmits PHI on behalf of a covered entity 25

Business Associate Compliance (cont.) Direct Liability: Additional HITECH Statutory Requirements For a failure to provide breach notification to the covered entity For a failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual s designee (whichever is specified in the business associate agreement) For a failure to disclose PHI where required by the secretary to investigate or determine the business associate s compliance with the HIPAA Rules, or For a failure to provide an accounting of disclosures 26

Individual Rights Statutory Requirement for Accounting of Disclosures Not Addressed May 2011 Proposed Rule HITECH Act requires accounting of disclosures of PHI made by a covered entity over the past three years to carry out treatment, payment, and health care operations Omnibus HITECH Final Rule Addresses: An individual s right to restrict certain disclosures of PHI An individual s right to access his or her PHI maintained in designated record sets 27

Individual Rights (cont.) Right to Request a Required Restriction. Covered entities are required to comply with an individual s request to restrict disclosure of the individual s PHI to a health plan where: The disclosure is for payment or health care operations purposes Is not otherwise required by law The PHI pertains solely to health care services or items for which the individual, or another person on the individual s behalf, has paid the covered entity in full 28

Individual Rights (cont.) Right to Access PHI: Individuals now have the right to obtain an electronic copy of PHI that is maintained in any electronic system. Readable Electronic Format: Covered entities must be able to provide a readable electronic form. For example, MS Word or Excel, text, HTML, or text-based PDF. Time to Respond to Request: Thirty days to take action and one 30-day extension Fees: Reasonable, cost-based fees may be charged. Such fees may not include labor costs for locating the PHI, but may include labor costs for creating and copying the electronic file 29

Questions? 30

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E. Bonifant Associate Reed Smith LLP nbonifant@reedsmith.com 31

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback