OMNIBUS RULE ARRIVES

Similar documents
AFTER THE OMNIBUS RULE

HIPAA OMNIBUS FINAL RULE

Management Alert Final HIPAA Regulations Issued

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

H E A L T H C A R E L A W U P D A T E

Interim Date: July 21, 2015 Revised: July 1, 2015

BREACH NOTIFICATION POLICY

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA The Health Insurance Portability and Accountability Act of 1996

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Changes to HIPAA Privacy and Security Rules

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Compliance Steps for the Final HIPAA Rule

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Business Associate Agreement

HIPAA Breach Notification Case Studies on What to Do and When to Report

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

The HIPAA Omnibus Rule

HIPAA Business Associate Agreement

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

Health Law Diagnosis

Getting a Grip on HIPAA

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Determining Whether You Are a Business Associate

HIPAA: Impact on Corporate Compliance

HIPAA Compliance Under the Magnifying Glass

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

FACT Business Associate Agreement

Interpreters Associates Inc. Division of Intérpretes Brasil

HIPAA Privacy Overview

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

To: Our Clients and Friends January 25, 2013

Changes to HIPAA Under the Omnibus Final Rule

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Compliance Steps for the Final HIPAA Rule

LEGAL ISSUES IN HEALTH IT SECURITY

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Omnibus HIPAA Rule: Impact on Covered Entities

NEW DATA BREACH RULES HAVE BIG IMPACT

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA Data Breach ITPC

HEALTHCARE BREACH TRIAGE

HIPAA and Lawyers: Your stakes have just been raised

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

503 SURVIVING A HIPAA BREACH INVESTIGATION

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Practical. PPACA, HIPAA and Federal Health Benefit Mandates:

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Fifth National HIPAA Summit West

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

GUIDANCE ON HIPAA & CLOUD COMPUTING

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Palmetto Paralegal Association

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

BUSINESS ASSOCIATE AGREEMENT

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

The HHS Breach Final Rule Is Out What s Next?

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

Effective Date: 4/3/17

ACC Compliance and Ethics Committee Presentation February 19, 2013

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Final Omnibus Rule Playbook

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

x Major revision of existing policy Reaffirmation of existing policy

Transcription:

AFTER THE OMNIBUS RULE 1

Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member Breach Notification Timeframes Member Breach Notification Letter must be approved by the State t (Department t of Health Care Services (DHCS)) 2

OMNIBUS RULE ARRIVES 3

OMNIBUS HITECH FINAL RULE: The Health Information Technology for Economic and Clinical Health Act (HITECH) Final Rule (Omnibus) released on January 17, 2013 and published January 25, 2013 in the Federal Register http://www.gpo.gov/fdsys/pkg/fr-2013-01-25/pdf/2013-01073.pdf The HIPAA Omnibus Rule implements the HITECH Act provision making Business Associates (BAs) and BAs downstream subcontractors, directly accountable for compliance with the Health Insurance Portability and Accountability Act s (HIPAA) Security and Privacy Rule requirements. Compliance Deadline for Covered Entities and Business Associates was September 23, 2013. 4

HITECH FOCUS AREAS FOR BUSINESS ASSOCIATES: Business Associates HIPAA/HITECH Obligations: Direct HIPAA Compliance with Security Rule (i.e., written policies & Security Assessment) Direct HIPAA Compliance withapplicable sections ofprivacy Rule HIPAABA agreements and sub vendor BA agreements Security Breach Notifications Presumption Breach Specific Exceptions, or documented breach risk assessment Who must BAs notify? When must BA notify? Business Associate Agreements 5

HIPAA Definition: Business Associate 45 C.F.R. 160.103: A Business Associate (BA) is a person / entity who / that: (i) On behalf of such covered entity (CE) or of an organized health care arrangement (OCHA) in which the CE participates, but other than in the capacity of a member of the workforce of such CE or arrangement, performs, or assists in the performance of: A. a function or activity involving the use or disclosure of PHI, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re pricing; or B. Any other function or activity regulated by subchapter; OR 6

HIPAA Definition: Business Associate continue: 45 C.F.R. 160.103: A Business Associate (BA) is a person / entity who / that: (ii) Provides, other than in the capacity of a member of the workforce of suchce CE, legal, actuarial, accounting, consulting, dataaggregation aggregation (as defined in 164.501), management, administrative, accreditation, or financial services to or for such CE, or to for an OHCA in which the CE participates, where the provision of the service involves the disclosure of PHI from such CE or arrangement. 7

HITECH FINAL RULE: Expanded Definition of a Business Associate Now specifically includes: E prescribing gateways Vendors providing service on bhlf behalf of a covered entity (CE) Health information organizations 8

HITECH FINAL RULE: Expanded Definition of a Business Associate continuation Any person or entity that transmits PHI or requires access to PHI on a routine basis: Conduits for data transmission are NOT BAs (e.g., retains PHI for only that t period of time necessary to support transmission process) 9

BA s SUB CONTRACTORS TOO! Any person or entity that creates, receives, maintains or transmits PHI on behalf of a HIPAA Business Associate (45 CFR 160.103(3)(iii); 103(3)(iii) This applies even if sub and BA don t enter in a Business Associate Agreement (BAA); The HIPAA / BAA obligations attach to downstream subcontractors too! The Office of Civil Rights (OCR) can directly enforce requirements againstsubcontractors. 10

CAN BAs AND SUB BAs AVOID HIPAA? The absence of a BA Agreement does NOT mean that a BA can avoid HIPAA compliance. A BA is determined by HIPAA s definitions and the activities of the BA (or sub), and direct compliance and enforcement by OCR cannot be avoided by simply pynot having in place a HIPAA compliant BA Agreement in place between the CE and the BA, or the BA and its Sub Contractor. 11

CAN BAs AND SUB BAs AVOID HIPAA? Continuation Just because you are not a BA, does NOT mean HIPAA is nor relevant. If you do not need access to a CE s PHI to perform a service or function on behalf of such Covered Entity, then not only are you likely not a BA, but you might also not have the authority to be accessing or using such PHI. 12

BREACH NOTIFICATION 13

SECURITY BREACH NOTIFICATION HITECH INTERIM BREACH RULE: Defined a Breach to mean generally: the acquisition, access, use, or disclosure of protected health hinformation i (PHI)in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the phi. If further elaborated that compromises the security or privacy of the PHI meant poses a significantrisk of financial, reputational, or other harm to the individual. Note: HHS originally included harm test in order to align the rule with many State breach notification laws as well as existing obligations on Federal Agencies that have a similar risk of harm standard for triggering breach notification. 14

SECURITY BREACH NOTIFICATION HITECH FINAL RULE: Removes the significant risk of harm test, and replaces it with a presumption that any impermissible use or disclosure of PHIispresumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised. CE or BA has the burden of proof to demonstrate that there is a low probability that the PHI Is compromised. The CE or BA must also maintain written documentation sufficient to demonstrate why it concluded that there is a low probability that the PHI was compromised and did not issue notices (e.g., a HIPAA Risk Assessment tool). 15

BREACH UNDER FEDERAL LAW Element HITECH OMNIBUS Who is Covered? Covered Entities (CEs) and Business Associates Same What Information? Protected Health Information Same What Medium? Electronic, Paper, and Oral Same 16

WHEN IS SECURITY INCIDENT A BREACH? Element HITECH OMNIBUS Breach defined Unauthorized Access Unauthorized acquisition, access, use, disclosure, i.e., violation of Privacy Rule Unsecured PHI Ause or disclosure in violation of the Privacy Rule Unauthorized acquisition, access, use, disclosure i.e., violation of Privacy Rule Unsecured PHI Presumption of Breach Same Secured vs. Unsecured Unusable, unreadable, indecipherable by: Encryption, Destruction, and Per National Institute of Standards and Technology (NIST) Standards Same Compromises Significant Risk of Harm Low Probability PHI Compromised 17

SAFE HARBORS: EXCEPTIONS & KNOWLEDGE Element HITECH OMNIBUS Unintentional Inadvertent Acquisition, access or use By employee or agent of CE or BA Good Faith Within scope of authority Nor further violation of Privacy Rule Acquisition, access or use By workforce member or person acting under the authority Good faith Within scope of authority No further violation of Privacy Rule Disclosures Disclosures l By Employee or Agent of CE or BA By workforce member or person To Employee or Agent at same CE/BA acting under the authority of CE No further violation of Privacy Rule or BA To workforce member at the same CE/BA No further violation of Privacy Rule 18

SAFE HARBORS: EXCEPTIONS & KNOWLEDGE Element HITECH OMNIBUS Retention Not Possible Knowledge Disclosure to unauthorized person Good faith belief that unauthorized recipient would not be able to retain the PHI Actual knowledge (including imputed knowledge of employees and agents) Should ve known with reasonable diligence Same Same 19

LOW PROBABILITY PHI COMPROMISED Four (4) Factors Nature and Extent of PHI involved, including the types of identifiers and the likelihood of reidentification. Unauthorized Person who used the PHI or to whom the disclosure was made. (Risk) Assessment Consider the type of PHI Involved i.e., if PHI is more sensitive nature. If credit card numbers, social security numbers, or other information that increases the risk of identity theft or financial fraud are involved, this cuts against finding low probability that PHI was compromised. With clinical information, consider nature of the services, as well as the amount of information and details involved. Consider who the unauthorized recipient is or might be. If the recipient person is someone at another CE or BA, then lower the probability that the PHI has been compromised since such entities are obligated to protect the privacy and security of PHIi in a similar il manner as the CE or BA from where the breached PHI originated. Compare to if PHI was impermissibly disclosed to their employer who could compare information against dates of absence from work. 20

LOW PROBABILITY PHI COMPROMISED Four (4) Factors Whether the PHI was actually Acquired or Viewed. Mitigation the extent to which the risk ikof the PHI has been mitigated. (Risk) Assessment Consider if the PHI was actually acquired or viewed or, rather, only the opportunity existed i.e., if the CE/BA mails the information to the wrong individual who opens the envelope and calls the CE/BA to say that he/she received the information in error. HHS points out that in such a case, the unauthorized recipient viewed and acquired the information because he/she opened and read the information and so this cuts against a finding that there is a low probability that the PHI was compromised. To contrast, if a laptop computer was/is stolen and later recovered and a forensic analysis shows that the otherwise unencrypted PHI on the laptop was never ee accessed, viewed, ed,acquired, transferred, ed,or otherwise secompromised, o could determine that the information was not actually acquired. A CE or BA must attempt to mitigate the risks to PHI following any impermissible use or disclosure, such as by obtaining the recipient s satisfactory assurances that the PHI will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed. When determining the probability that the PHI has been compromised, CE or BA should consider the extent of what steps needed to be taken to mitigate, and how effective the mitigation was. 21

Breach Reporting Requirements 22

Federal and State Breach Reporting Requirements Number of Individuals Affected by the Breach Federal: Office of Civil Rights (OCR) State: (Department of Health Care Services[DHCS]) Less than 500 individuals 500 individuals and above Annually. Filing / reporting of breaches are due to the DHHS/OCR no later than 60 calendar days after the end ofthe calendar year in which the breach occurred. Go to link: http://ocrnotifications.hhs.gov/ Without unreasonable delay and in no case later than 60 calendar days following a breach at http://ocrnotifications.hhs.gov/ Notify the Media outlets serving the 23 State or jurisdiction (e.g., in the form of a press release) Within 24 hours by email or fax of the discovery of any suspected security/privacy incidents, intrusion or unauthorized access, use or disclosure of personal health information (PHI) or personally identifiable information (PII), or potential ti lloss of confidential data; dt Within 72 hours, using /completing the Privacy Incident Report (PIR) Form*, e mail to privacyofficer@dhcs.ca.gov and the DHCS Information Security Officer at iso@dhcs.ca.gov Same * The DHCS PIR Form could be found in the Care1st s website.

Breach Notification Timeframes Requirements to Members 24

Member Breach Notification Timeframes Requirements Number of Individuals Federal: Office of Civil State: (Department Affected by the Breach Rights (OCR) of Health hcare Services[DHCS]) Less than 500 individuals Without reasonable delay and in no case later than 60 calendar days following the discovery of a breach. Without reasonable delay and in no even later than 60 calendar days following the discovery of the breach. 500 individuals and above Same Same 25

Breach Notification for Care1st Members must be approved by the State/DHCS Under the Business Associate Agreement between Care 1 st and DHCS in Exhibit G, under Term of Agreement III, section J (Breaches and Security Incidents), subset 4 (Notification of Individuals), which is listed on page 9 of Exhibit G. The agreement lists the following: If the cause of a breach of PHI or PI is attributable to Business Associate or its subcontractors, agents or vendors, Business Associate shall notify individuals of the breach or unauthorized use or disclosure when notification is required under state or federal law and shall pay any costs of such notifications, as well as any costs associated with the breach. The notifications shall comply with the requirements set forth in 42 U.S.C. section 17932 and its implementing regulations, including, but not limited to, the requirement that the notifications be made without unreasonable delay and in no event later than 60 calendar days. The DHCS Program Contract Manager, the DHCS Privacy Officer, and the DHCS Information Security Officer shall approve the time, manner and content of any such notifications and their review and approval must be obtained before the notifications are made. 26

Questions? Ask us or look online. Care1st s Privacy Officer and Corporate Compliance Officer (Brooks Jones) is at 323 889 6638 extension #6202) or email Bjones@care1st.com. com Care1st s Compliance Department @ ComplianceSIU@care1st.com or ComplianceDepartment@care1st.com Care1st s Information Security Officer (Herbert Woo) is at extension #6208 or e mail at HWoo@care1st.comcom Care1st s HOTLINE Number @ 1 877 837 6057 Visit http://www.hhs.gov/ocr/privacy/index.html p// / /p 27

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback