HIPAA Omnibus Rule Compliance

Similar documents
HHS, Office for Civil Rights. IAPP October 11, 2012

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

To: Our Clients and Friends January 25, 2013

Highlights of the Omnibus HIPAA/HITECH Final Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Management Alert Final HIPAA Regulations Issued

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

Determining Whether You Are a Business Associate

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Getting a Grip on HIPAA

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Health Law Diagnosis

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

AFTER THE OMNIBUS RULE

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA Omnibus Final Rule and Research

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA Compliance Under the Magnifying Glass

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Changes to HIPAA Under the Omnibus Final Rule

New HIPAA-HITECH Proposed Regulations Issued

Fifth National HIPAA Summit West

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

HIPAA: Impact on Corporate Compliance

Privacy Rule - Complaint Investigations

MEMORANDUM. Kirk J. Nahra, or

New HIPAA Rules and Implications for the Industry January 29, 2013

HIPAA The Health Insurance Portability and Accountability Act of 1996

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

Welcome to today s Webinar

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

Compliance Steps for the Final HIPAA Rule

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

HEALTHCARE BREACH TRIAGE

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

The HIPAA Omnibus Rule

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA Final Omnibus Rule Playbook

"HIPAA RULES AND COMPLIANCE"

What is HIPAA? (1 of 2)

Omnibus Rule: HIPAA 2.0 for Law Firms

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA and Lawyers: Your stakes have just been raised

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA & The Medical Practice

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA OMNIBUS FINAL RULE

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

LEGAL ISSUES IN HEALTH IT SECURITY

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HITECH and Stimulus Payment Update

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA, HITECH & Meaningful Use

HIPAA Breach Notification Case Studies on What to Do and When to Report

OHCAs, ACEs and Hybrid Entities

Business Associate Agreement

POLICY REGARDING NOTICE OF PRIVACY PRACTICES

It s as AWESOME as You Think It Is!

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA Special Considerations: Individual Right to Request Restriction of Uses and Disclosures of PHI Voluntary and Mandatory

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

HIPAA UPDATE/ OCR ENFORCEMENT

Business Associate Agreement For Protected Healthcare Information

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Business Associate Contracts: Time Is Running Out...

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Data Breach ITPC

Compliance Steps for the Final HIPAA Rule

OMNIBUS RULE ARRIVES

Effective Date: 4/3/17

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Overview

Transcription:

HIPAA Omnibus Rule Compliance Jana Aagaard, JD Senior Counsel, Privacy/HIT Dignity Health Christy Navarro, MS CIPP/US Director, Chief Privacy Officer - Ascendian 1 Overview Background What Should Be Done by Now What Can Still Be Done Pitfalls to Avoid 2 1

Background Who Must Comply Covered Entities (physicians, hospitals, health plans, etc.) Business Associates (of all spots and stripes) Subcontractors (aka Business Associates it s turtles all the way down ) 3 Background HITECH Act February 2009 Multiple NPRMS and IFRs 2009-2011 Final Rule Released: January 25, 2013 Effective Date: March 26, 2013 Compliance Date: September 23, 2013 Special date for BA remediation: September 23, 2014 Still Awaiting Final Rule on Accounting for Disclosures NPRM: May 2011 Final Rule on CLIA/HIPAA Changes NPRM: September 2011 4 2

Jana Aagaard HIGHLIGHTS OF THE REQUIRED CHANGES 5 Business Associates (BAs) Old definition: uses or discloses PHI on behalf of CE New definition: creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA Timing requirements: All new, modified, amended, extended, or restated agreements must have new BA provisions as of Sept. 23, 2013 All evergreen or long-term agreements must be updated by Sept. 23, 2014 6 3

BAs - Subcontractors and Agents Subcontractor is a BA if it creates, receives, maintains or transmits PHI on behalf of a CE or BA even if no written contract between BA and subcontractor The Covered Entity is not responsible for ensuring contract between BA and sub-ba exists Agents must be treated specially Who is an agent? Facts and circumstances test no bright line Covered entity remains responsible for agent s actions Thus, for agents, consider more stringent requirements about: Time for breach notification Ability to audit BA s compliance Insurance and indemnification 7 BAs - New BAs & Exceptions Some new business associates Patient Safety Organizations Health Information Organizations E-prescribing Gateways Personal Health Records Vendors Exceptions to BA requirements Entity performing treatment (E.g., PT hired by MD) A covered entity who is part of an OHCA performing a BA function/activity on behalf of the OHCA (E.g., MDs helping with hospital peer review or QA) 8 4

Patient s Right to Mandatory Restriction CEs must agree to restrict disclosure of PHI about an item or service to a health plan at patient request if the patient (or benefactor) pays for the item or service out-of- pocket, in full OCR says no need to create separate medical records, but CEs will need to employ some method to flag or note in the record... to ensure that such information is not sent to or made accessible to the health plan. 9 Patient s Right to Mandatory Restriction Challenges: What about legal requirements to bill? If required by law to bill, CE may do so. What about downstream consequences? Patient is responsible BUT CE should assist (paper scripts) What about one item/service out of many in an encounter? Unbundle payment, if possible; if not, the request can be denied What about follow-up care? OCR highly encourages CEs to explain situation to patients and give opportunity for patient to request further restriction. If disclosure to plan is required for follow-up care, however, the CE can disclose full information. What about HMO care? CE may have to advise patient to seek out-of-network care. Contracts with plans may have to be renegotiated 10 5

Patient s Rights - Electronic Access to PHI Patients have right to electronic access to electronic PHI in designated record sets (for self and third party) The right extends to all portions of the designated record set ( may need to invest in order to meet the requirements ) CEs may: Require a written request Produce the record in the format requested if readily producible or in agreed-upon format, if not Charge a cost-based fee, which includes the cost of labor to copy the electronic record, supplies for format requested, and postage if mailing is requested 11 Breach Notification Goodbye subjective risk of harm assessment; hello objective risk of compromise assessment Breach is presumed and reporting required unless: Assessment by covered entity of at least 4 elements shows a low probability that the PHI was compromised (see hand out) 1. Nature and extent of PHI involved 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI actually was acquired or viewed 4. The extent to which the risk to the PHI has been mitigated 12 6

Fundraising Good News! New elements permitted: Date of Birth Department of Service Treating Physician Outcome Information Health Insurance Status New Opt-Out Requirements: For all communications Clear and conspicuous Easy-to-use; no letters/stamps! Must be honored fully May not condition treatment or payment on patient s choice Must be described in Notice of Privacy Practices 13 Marketing Patient-signed authorization required for marketing communications PLUS for all communications (even for treatment purposes) that involve remuneration from third party (except refill reminders). Marketing means communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Exceptions for treatment (NO remuneration) communication include the following: 14 7

Marketing Exceptions - NO AUTHORIZATION NEEDED so long as no $$ received for: Communications by a provider for treatment of an individual, including case management or care coordination, recommending alternative treatments, therapies, providers, etc. Communications by a health plan describing healthrelated products or services that are provided by the plan, including communication about providers in a network Communications by a health plan for case management, care coordination, treatment alternatives, etc. 15 Enforcement Penalties New Penalty Structure Finalized Violation Category Each Violation Year Cap Same Violation (A) Did Not Know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,000 (C) Willful Neglect- $10,000 - $50,000 $1,500,000 Corrected (D)Willful Neglect- $50,000 $1,500,000 Not corrected 16 8

Christy Navarro WHAT SHOULD BE DONE BY NOW (IN A PERFECT WORLD) 17 Policies and Procedures All Privacy Policies & Procedures Updated Access Marketing Fundraising Restrictions Breach Response Use and Disclosure 18 9

Update Business Associate Contracts As Required Update is Required By September 23, 2013 if Contract first executed on or after Jan 25, 2013 or Contract renewed or modified after March 26, 2013 19 Update Business Associate Contracts As Required Includes: Definition of Business Associate Language that BA will comply with applicable requirements of Security Rule Report breaches of unsecured PHI as required by 45 C.F.R. 164.410 BA must pass restriction to subcontractors Additional requirements apply when Business Associate is carrying out a covered entity s obligations under the Privacy Rule 20 10

Update the Notice of Privacy Practices Update the notice provided to patients Don t forget the Website Easy to tell which CE s are behind 21 Practical Tips and Pitfalls to Avoid WHAT CAN STILL BE DONE 22 11

Business Associates Business Associates: consider next steps in vendor management negotiating a right-to-audit provision Solidify and activate communication process with BAs Ask for the name of your BA s Privacy Officer and Security Officer Consider a communication that highlights the changes and the impact to them (like the trifold handout) 23 Business Associates - Practical Tips If using template, use competent attorney or check the OCR model provisions Be wary of many new BAs (first level) - because except for the few specific additions, THE DEFINITION OF WHO IS A BA REMAINS THE SAME (caveat subcontractors are now BAs) Be particularly careful to require your BA to flow down equally strong requirements to its subcontractors In short, each agreement in the business associate chain must be as stringent or more stringent as the agreement above with respect to the permissible uses and disclosures. (emphasis added) If no remediation needed, focus NOW on plans for evergreens and long-term agreements 24 12

25 Top Reasons for Business Associate Breaches as of 10/17/2013 # of Breaches 52 Theft Reason for Breach 41 Unauthorized Access/Disclosure 23 Loss 16 Hacking IT Incident Source: Health Information Privacy/Security Alert Analysis of HHS Office for Civil Rights Data 26 13

Patient Right to Restrict when they Pay Out of Pocket Where are you communicating with payers now? How about the near future? Electronic Medical Records Interfaces Health Information Exchange Accountable Care Audit the existing procedure Make it easy to catch for future uses and disclosures by including in (privacy impact or security risk assessment templates) 27 Patient Right to Restrict when they Pay Out of Pocket No easy, one-size-fits-all fix Many covered entities rely on special code that bypasses the usual billing processes (counting on low frequency experience so far agrees) Patient must request the restriction New requirements DO NOT apply to all elective or cash-pay procedures Don t ignore - low frequency but high ease of enforcement; easy for patient to show lack of compliance 28 14

Patient Right of Electronic Access Leverage patient portals (but don t confuse with Meaningful Use Stage 2) Audit the process in place for access requests sent to a third party Processes should be oriented toward patients & customer service Greater visibility & access to information by patients = higher patient engagement Make patient rights part of strategy and business development Don t forget state law (California 15 days) 29 Breach Management Important to have a uniform process that evaluates both state and federal laws Don t analyze in a vacuum compare notes, share tools, be consistent Higher volume of reports than in the past Template Notice to Patients with all state and federal notification elements New chance for metrics Show your work - regardless of the outcome of your investigation 30 15

31 OCR s Top Complaint Categories Answer: Impermissible Uses & Disclosures (U&D) http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/top5issues.html Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5 2010 Impermissible U&D Safeguards Access Min. Necessary Notice 2009 Impermissible U&D Safeguards Access Min. Necessary Complaints to Covered Entity 2008 Impermissible U&D Safeguards Access Min. Necessary Complaints to Covered Entity 2007 Impermissible U&D Safeguards Access Min. Necessary Notice 2006 Impermissible U&D Safeguards Access Min. Necessary Notice 2005 Impermissible U&D Safeguards Access Min. Necessary Mitigation 2004 Impermissible U&D Safeguards Access Min. Necessary Authorizations partial year 2003 Safeguards Impermissible U&D Access Notice Minimum Necessary 32 16

Notice of Privacy Practices Use the opportunity to strategically update your NPP for future uses and disclosures of PHI ACO HIE Patient Portals Clinical Integration Link to patients options for opting out Link to patient options for setting consent preferences 33 Fundraising/Marketing Opportunity to plan for a scalable, electronically managed opt-out process Adapt rules by use case (be ready for data analytics) Separation of duties between fundraising and marketing staff 34 17

Recordkeeping HIPAA compliance is like middle-school math. Everything depends on showing your work. --Leon Rodriguez, Director Office of Civil Rights Maintain a documentation log for all HIPAA related requirements in one place Example: Any and all locations where employee training acknowledgements are maintained (e.g. At the department level or centralized in Human Resources) 35 18

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback