HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Similar documents
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

AFTER THE OMNIBUS RULE

Management Alert Final HIPAA Regulations Issued

HHS, Office for Civil Rights. IAPP October 11, 2012

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Changes to HIPAA Under the Omnibus Final Rule

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

ARRA s Amendments to HIPAA Privacy & Security Rules

Highlights of the Omnibus HIPAA/HITECH Final Rule

Omnibus HIPAA Rule: Impact on Covered Entities

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

To: Our Clients and Friends January 25, 2013

Health Law Diagnosis

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Compliance Under the Magnifying Glass

Fifth National HIPAA Summit West

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Determining Whether You Are a Business Associate

HIPAA OMNIBUS FINAL RULE

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Getting a Grip on HIPAA

OMNIBUS RULE ARRIVES

HIPAA & The Medical Practice

The HIPAA Omnibus Rule

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Be Careful What You Wish For: The Final Rule Is Out

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

HIPAA Omnibus Final Rule and Research

HIPAA: Impact on Corporate Compliance

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA, Privacy, and Security Oh My!

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

LEGAL ISSUES IN HEALTH IT SECURITY

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Compliance Steps for the Final HIPAA Rule

BREACH NOTIFICATION POLICY

HIPAA The Health Insurance Portability and Accountability Act of 1996

New HIPAA Rules and Implications for the Industry January 29, 2013

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

H E A L T H C A R E L A W U P D A T E

Interpreters Associates Inc. Division of Intérpretes Brasil

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA Privacy Overview

Changes to HIPAA Privacy and Security Rules

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Palmetto Paralegal Association

ReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

HIPAA and Lawyers: Your stakes have just been raised

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

View the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Interim Date: July 21, 2015 Revised: July 1, 2015

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

"HIPAA RULES AND COMPLIANCE"

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Highlights of the Final Omnibus HIPAA Rule

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

HIPAA Omnibus Rule Compliance

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

HEALTHCARE BREACH TRIAGE

HEALTH LAW ALERT January 21, 2013

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Future of Healthcare in Washington April 2, Christiansen IT Law

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

Transcription:

HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by

agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement Access to ephi Right of Restriction Genetic Information Non-discrimination Act (GINA) Immunization Records Decedents Notice of Privacy Practices Business Associates

Dates + 4 Rules The Omnibus Final Rule is effective on March 26, 2013, and the compliance date is September 23, 2013: July 2010 Notice of Proposed Rule Making (NPRM) on HITECH privacy and security changes to HIPAA October 2009 Notice of Proposed Rule Making (NPRM) on Genetic Information Nondiscrimination Act (GINA) changes to HIPAA August 2009 Interim Final Rule (IFR) on HIPAA Breach Notification October 2009 Interim Final Rule (IFR) on HIPAA Enforcement Rule

Security The Omnibus Rule regulations all have security impacts: o Business Associates must implement all the Security Rule standards and implementation specifications o Subcontractors are now business associates and must implement all the Security Rule standards and implementation specifications o Business Associates have direct enforcement compliance with all requirements of the HIPAA Security Rule o The privacy updates for sale of PHI, right of restriction and GINA will require the segregation of special data from other ephi o A breach may be an act or omission of paper or to ephi

Security The HIPAA Security Rule now applies directly to business associates; they must comply with applicable standards, implementation specifications, and requirements with requirements to electronic protected health information 45 C.F.R. 164.302 Applicability At almost every provision in the Security Rule where it records covered entity it now also records and/or business associate!

Business Associate + the Security Rule Business Associate now responsible for: o 164.306 Security standards: General rules o 164.308 Administrative safeguards 164.308(a)(1)(ii)(A) Risk analysis (Required) o 164.310 Physical safeguards o 164.312 Technical safeguards o 164.314 Organizational requirements 164.314(a)(1) Standard: Business associate contracts or other arrangements o 164.316 Policies and procedures and documentation requirements

Breach Notification HITECH Act: First federal law mandating breach notification for the health care industry; applies to: Covered Entities Business Associates Personal Health Records (PHR) vendors, and PHR service providers Federal Trade Commission (FTC) regulates PHRs Health and Human Services (HHS) regulations CEs and BAs

Breach Notification Remember State Law 46 states (plus DC, Puerto Rico, and the Virgin Islands) have notification laws Evaluate state law as well as the Omnibus Rule requirements: Trigger Timing Content Recipients

Data Breach Notification Overview Upon discovery of a Breach of Unsecured Protected Health Information (PHI) Covered Entities and Business Associates must make notifications Subject to certain exceptions

Definition of Breach Breach of Unauthorized acquisition, access, use disclosure of unsecured PHI In a manner not permitted by the HIPAA Privacy Rule That compromises the security or privacy of PHI So far so good, but

Omnibus Final Rule Presumption An impermissible acquisition, access, use disclosure of unsecured PHI is Presumed to be a reportable breach UNLESS the entity demonstrates that there is a low probability that the PHI has been compromised (lo pro co) Compromise is not defined by the HIPAA Rules; from the preamble: inappropriately viewed, re-identified, re-disclosed, or otherwise misused

Breach Risk Assessment A documented risk assessment needs to demonstrate that there is a low probability that the PHI has been compromised Four mandatory factors: What PHI: Nature and extent of PHI involved Who: The unauthorized person who used the PHI or to whom the disclosure was made Acquired: Whether the PHI actually was acquired or viewed Mitigation: The extent to which the risk to the PHI has been mitigated Other factors may be considered Evaluation of overall probability

Breach Risk Assessment Risk Assessment must be: Thorough Completed in good faith Have reasonable conclusions Discretion to provide notification without performing risk assessment

Timing of Notice Notification must be made without unreasonable delay No more than 60 days after discovery Subject to law enforcement delay

Discovery Discovery of a breach occurs when: Entity has actual knowledge of a breach including through a workforce member or agent (but not person committing the breach) or Using reasonable diligence, entity would have known of the breach

Practical Steps Revise breach notification policies and procedures Security Risk Analysis revisit (or do) Develop or revisit Security Incident Response Plan Pay special attention to portable media and personal devices Train entire workforce Avoidance Alert to potential breaches Response to breach

Practical Steps Prepare incident response team Be ready to respond to news media attention have a designated spokesperson Consider tightening Business Associate Agreements, particularly for agents Encryption! Make the most of the encryption safe harbor, and Verify document destruction National Institute of Standards and Technology (NIST) Guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals Audit access to PHI and enforce policies

Increased Enforcement HITECH Act significantly strengthened HIPAA Enforcement Interim Final Rule of October 2009 Created 4 categories of culpability with corresponding penalties Took effect immediately Omnibus Rule = Final Enforcement Rule Enforcement Rule applies to Covered Entities and Business Associates

Increased Enforcement Focus on Willful Neglect Willful Neglect: conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA OCR will investigate all cases of possible neglect OCR will impose penalty on all violations due to willful neglect

Increased Enforcement Violation Category Each Valuation All Identical Violations for Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1000 - $50,000 $1,500,000 Willful Neglect corrected in 30 days Willful Neglect not corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 Limits are per type of violation, e.g., four types of continuous violations over three years could equal $18 million

What to Do Now! Create a Culture of Compliance OCR aggressively enforcing the HIPAA Privacy, Breach and Security Rules OCR suggests that Covered Entities and Business Associates should have a robust HIPAA Privacy and Security Compliance Program, including: Employee Training Vigilant implementation of policies and procedures A prompt plan to respond to incidents and breaches Regular internal audits

Sample Fines CVS: Privacy, $2.25M, 2009: Complaint Cignet: Privacy, $4.3 M, 2011: CMP, Complaint Phoenix Cardiac Surgery: Privacy & Security $100K, 2012: OCR Audit MEEI: Security, $1.5M, 2012: Self Reported Breach BCBS Tennessee, $1.5M, 2012: Self Reported Breach Alaska Medicaid, Security, $1.7 M, 2012: Self Reported Breach Hospice of North Idaho, Security, $50,000, 2013: Self Reported Breach of less than 500 PLUS Onerous Corrective Action Plans

Right of Access Under the Omnibus Rule the Right of Access: Required the Covered Entity to provide a copy of the electronic protected healthcare information (ephi), that is maintained in one or more data sets, to the individual electronically or in the format agreed upon The individual may direct the Covered Entity to send the ephi to a third party Covered Entity needs a new policy and procedures to verify the request

Right of Restriction Under the Omnibus Rule the Right of Restriction: Individual may request their healthcare provider covered entity to not share information with their health plan if the individual, or a family member, pay in full for the service or care This restriction is only to health plans and their business associates The provider is required to grant this request Providers are not required to notify other providers of restrictions

GINA Genetic Information: broadly defined to include manifestation of a disease or disorder in a family member of an individual in addition of genetic tests of individuals and family members and receipt if genetic services A Health Plan that uses or discloses PHI for underwriting purposes must revise its NPP stating that it will not use or disclose genetic information for such purposes Health Plan definition has also been revised; HHS has exercised its authority to expand GINA to include all Health Plans except for Long Term Care Health Plans

Student Immunization Records Covered entity may release student immunization records to school without authorization o If state law requires school to have immunization record o Written or oral agreement (must be documented)

Decedent Information No longer PHI 50 years after death (specific exclusion from definition of PHI) Covered entity may disclose PHI to persons involved in decedent s care or payment if not contrary to prior expressed preference

Notice of Privacy Practices Notice of Privacy Practices for Protected Healthcare Information The NPP first required information including: When an authorization is needed Psychotherapy notes Marketing Fundraising Sale of PHI Right to request a restriction No guarantee of a restriction Breach Notification

Notice of Privacy Practices Under the Omnibus Rule the NPP is required information including: When an authorization is needed Psychotherapy notes Marketing Fundraising Sale of PHI Right to request a restriction No guarantee of a restriction Breach Notification Fundraising

Business Associates Under HITECH Who is a Business Associate? Omnibus Final Rule: An entity that creates, receives, maintains, or transmits [PHI] for a function or activity regulated by [HIPAA] on behalf of a Covered Entity Omnibus Final Rule expanded the definition of Business Associates to include: Health Information Organizations E-prescribing Gateways Personal Health Records (PHR) providers on behalf of a Covered Entity Patient Safety Organizations Subcontractors that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of Business Associates Sub-contractor means a person whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate

New Business Associate Obligations Summary of BA Obligations Under Omnibus Final Rule Direct compliance with all requirements of the HIPAA Security Rule Directly liable for impermissible uses and disclosures of PHI under HIPAA Provide CE with notice of breach in accordance with the Breach Notification Rule Required to provide access to a copy of electronic PHI to the CE (or the individual) Provide PHI where required by the Secretary to investigate the BA s compliance with HIPAA Provide an accounting of disclosures as required by HITECH (Final Rule Pending)

New Business Associate Obligations BA Privacy Rule Limited to HITECH Changes The HITECH Act does not impose ALL Privacy Rule obligations upon a BA BAs are subject to direct enforcement of HIPAA Privacy obligations and penalties in the same manner as a CE, BUT only to the extent required under HITECH not all the HIPAA Privacy Rule obligations

QUESTIONS Susan A. Miller, JD TMSAM@aol.com (O) 978-3692092 (C) 978-505-5660 Thank You!

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback