Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

Similar documents
AFTER THE OMNIBUS RULE

HIPAA OMNIBUS FINAL RULE

Compliance Steps for the Final HIPAA Rule

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

OMNIBUS RULE ARRIVES

HIPAA The Health Insurance Portability and Accountability Act of 1996

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Interim Date: July 21, 2015 Revised: July 1, 2015

BREACH NOTIFICATION POLICY

Compliance Steps for the Final HIPAA Rule

Management Alert Final HIPAA Regulations Issued

Changes to HIPAA Privacy and Security Rules

H E A L T H C A R E L A W U P D A T E

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA Compliance Under the Magnifying Glass

HIPAA Breach Notification Case Studies on What to Do and When to Report

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

HIPAA: Impact on Corporate Compliance

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Effective Date: 4/3/17

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Highlights of the Omnibus HIPAA/HITECH Final Rule

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HEALTH LAW ALERT January 21, 2013

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA Omnibus Final Rule and Research

HITECH and Stimulus Payment Update

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Interpreters Associates Inc. Division of Intérpretes Brasil

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

Business Associate Agreement

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Privacy and Security Breaches 10 Things To Know

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

HIPAA Business Associate Agreement

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Business Associate Agreement For Protected Healthcare Information

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

MEMORANDUM. Kirk J. Nahra, or

Practical. PPACA, HIPAA and Federal Health Benefit Mandates:

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA & The Medical Practice

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Business Associate Agreement

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

EXCERPT. Do the Right Thing R1112 P1112

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

FACT Business Associate Agreement

ALERT. November 20, 2009

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

NEW DATA BREACH RULES HAVE BIG IMPACT

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Business Associate Agreement

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

To: Our Clients and Friends January 25, 2013

x Major revision of existing policy Reaffirmation of existing policy

HIPAA, Privacy, and Security Oh My!

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

ARTICLE 1. Terms { ;1}

HIPAA and Lawyers: Your stakes have just been raised

Omnibus HIPAA Rule: Impact on Covered Entities

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

ARE YOU HIP WITH HIPAA?

ARTICLE 1 DEFINITIONS

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Getting a Grip on HIPAA

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Transcription:

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System Thomas N. Shorter, Godfrey & Kahn, S.C. 1 Today s panel discussion addresses the HIPAA/HITECH Omnibus Rule change to Breach Notification that removed the harm threshold and replaced it with the presumption that each impermissible use or disclosure of PHI is a breach unless an exception applies or there is a low probability that PHI has been compromised, as determined through risk assessment. 2 Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System Moderator Thomas N. Shorter, Godfrey & Kahn, S.C. 3 1

HIPAA security breach incidents affecting over 22 million individuals have been reported. Theft remains the leading reason for breaches, followed closely by unauthorized access/disclosure and then loss. 4 Top locations for large breaches: Laptops Paper records Desktop Computers Portable Electronic Devices 5 Sec. 13402. Notification In The Case of Breach. (HITECH Act) (a) In General A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. 6 2

... The unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. Sec. 13400. Definitions. 7 The new rule broadens the definition of breach of unsecured PHI. More circumstances in which covered entities and business associates must give notice of a breach. 8 The Final Rule removed the exception for a limited data set that excludes dates of birth and zip codes. Now, conduct risk assessment if PHI impermissibly used/disclosed/involved only a limited data set. 9 3

Good faith, unintentional access, use or disclosure by a workforce member, within the scope of authority; Inadvertent disclosures by a person authorized to access PHI within a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate; and Good faith belief that unauthorized person would not be able to retain PHI. 10 Subjective standard Notification required if significant risk of financial, reputational, or other harm to the individual. 11 Objective standard Eliminates the harm standard, which looked to whether the impermissible use, acquisition or disclosure of PHI constituted a significant risk of financial, reputational or other harm to the individual. 12 4

Focus is now on the risk the PHI was compromised, instead of the risk of harm to the individual. 13 1. Nature and extent of the PHI, including types of identifiers and likelihood of reidentification. 2. Unauthorized person who used the PHI and/or to whom the PHI was disclosed. 3. Whether the PHI was actually acquired or viewed. 4. Extent the risk to the PHI has been mitigated. 14 1. Determine whether there has been an impermissible acquisition, access, use or disclosure of PHI in violation of the Privacy Rule. 2. Determine if PHI is unsecured. 3. Evaluate whether the incident falls under one of the exceptions to the notification obligations. 4. Presume the impermissible use or disclosure is a breach unless a risk assessment demonstrates a low probability of compromise to the PHI. 5. Resist the urge automatically assume notification is required. 15 5

After completing the 4 risk assessment factors and any other necessary factors, After determining that it is a probability that the PHI has been compromised, Remember to document in writing any risk assessment and analysis you complete. 16 Notice of Privacy Practices: Certain statements (e.g., maintenance of privacy by covered entity) must now be listed in the notice. Note that the Notice does not need the statement to include definitions of breach and unsecured or describe the types of information that will be provided in a breach notification. 17 18 6

What have you done to make the transition to the new breach standard? 19 Policy 20 Processes Format. Staff Involved. Processes needed to document against the new breach notification criteria. 21 7

Staff Education and Training Effective ways to teach workforce members the reality of the criteria. Which training formats have been especially effective? 22 Do you still see a place for the old harm standard? 23 What problems with the transition do you foresee? 24 8

Do you anticipate an increase in the breach notification to Patient/OCR? 25 What do you foresee as problematic breach scenarios? 26 Problematic scenarios 27 9

28 10

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback