HIPAA Compliance Under the Magnifying Glass

Similar documents
HIPAA: Impact on Corporate Compliance

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

AFTER THE OMNIBUS RULE

Compliance Steps for the Final HIPAA Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

To: Our Clients and Friends January 25, 2013

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HIPAA Privacy Overview

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Management Alert Final HIPAA Regulations Issued

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA The Health Insurance Portability and Accountability Act of 1996

Highlights of the Omnibus HIPAA/HITECH Final Rule

Compliance Steps for the Final HIPAA Rule

HIPAA & The Medical Practice

HIPAA and Lawyers: Your stakes have just been raised

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA Privacy Compliance Checklist

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HHS, Office for Civil Rights. IAPP October 11, 2012

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Determining Whether You Are a Business Associate

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Getting a Grip on HIPAA

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Basic Training for Health & Welfare Plan Administrators

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

ARE YOU HIP WITH HIPAA?

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA OMNIBUS FINAL RULE

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

OMNIBUS RULE ARRIVES

HIPAA Omnibus Final Rule and Research

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Texas Tech University Health Sciences Center HIPAA Privacy Policies

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Business Associate Agreement

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

HEALTHCARE BREACH TRIAGE

HIPAA Compliance Guide

ARRA s Amendments to HIPAA Privacy & Security Rules

Omnibus HIPAA Rule: Impact on Covered Entities

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

March 1. HIPAA Privacy Policy

It s as AWESOME as You Think It Is!

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA Omnibus Rule Compliance

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Health Law Diagnosis

ACC Compliance and Ethics Committee Presentation February 19, 2013

New HIPAA Rules and Implications for the Industry January 29, 2013

Omnibus Rule: HIPAA 2.0 for Law Firms

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

"HIPAA RULES AND COMPLIANCE"

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

x Major revision of existing policy Reaffirmation of existing policy

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Palmetto Paralegal Association

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Notice of Privacy Practices

Changes to HIPAA Under the Omnibus Final Rule

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

MEMORANDUM. Kirk J. Nahra, or

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA.

View the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense

The HIPAA Omnibus Rule

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Transcription:

HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by

Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information provided is for educational purposes only and is not intended to be considered legal advice or create an attorney-client relationship.

Basic Structure of HIPAA HIPAA Privacy Applies to all protected health information Determines when PHI can be used/disclosed Minimal Safeguard Requirements Provides Patients Rights to Information HIPAA Security Applies to electronic protected health information Additional layers of safeguards for ephi HIPAA Breach Notification Spans Privacy and Security Adds transparency to the process If state law differs from HIPAA, the more restrictive law applies

Who is a Covered Entity A health plan A health care clearinghouse A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. Transaction means the transmission of information between two parties to care out financial or administrative activities related to healthcare including claims or encounter information, healthcare payment or remittance advice, coordination of benefits, health care claims status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification and authorization, first report of injury, health claim attachments, and other transactions prescribed by regulation.

Who is a Business Associate A person/entity who, with respect to a covered entity: On behalf of such covered entity or an organized health care arrangement, but other than as a member of the workforce of the covered entity, creates, receives maintains or transmits PHI for an activity regulated by HIPAA, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; patient safety activities; benefit management; practice management and repricing; or Provides, other than as a member of the workforce, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity or organized health care arrangement where the performance of service involves the disclosure of PHI. BA includes a health information organization, e-prescribing gateway, or other person that provides data transmission services that requires access on a routine basis to such PHI; a person that offers a personal health record on behalf of a covered entity; and a subcontractor that receives, creates, maintains or transmits PHI on behalf of a BA. Certain exceptions

What is Protected Health Information Individually identifiable health information that is transmitted in electronic media, maintained in electronic media, or transmitted or maintained in any other form, but not including education records covered by FERPA, certain higher education records, employment records held by a covered entity in its role as employer, and regarding a person who has been deceased more than 50 years. Health information means any information, including genetic information, that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse and relates to past, present, or future physical or mental health or condition of an individual, provision of health care, or past, present or future payment for the provision of health care. Individually identifiable means information that identifies an individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual

What Did the Omnibus Regulations Change? Application of HIPAA to Business Associates HIPAA Privacy Standards Notice of Privacy Practices Use of PHI for Marketing Sale of PHI Use of PHI for Fundraising Disclosure of PHI to Decedent s Family Members HIPAA/HITECH Breach Notification Standards Definition of Breach HIPAA Enforcement

Business Associates

Business Associates Definition revised to add Patient safety organizations Health information exchange, e-prescribing and other data transmission companies Personal health records offered by covered entities Subcontractors of Business Associates Business Associates required to implement HIPAA Security Policies Application of Minimum Necessary to Business Associates Agreements with Subcontractors

Revisions to Business Associate Agreements Model Business Associate Agreement from Office of Civil Rights New terms Written agreement with subcontractor Comply with HIPAA Security as if Cover Entity Notification of breaches If carry out Covered Entity obligation under HIPAA, comply with terms of HIPAA If Business Associate is considered an agent, knowledge of breach may be imputed to the Covered Entity

Enforcement- Liability for Business Associates Covered Entity is liable for violations of Business Associate IF Business Associate is considered an agent of the Covered Entity. Factors to determine scope of agency Time, place, and purpose of Business Associate conduct Whether Business Associate engaged in course of conduct subject to Covered Entity s control Whether Business Associate-agent s conduct is commonly done by a Business Associate to accomplish the service performed on behalf of the Covered Entity Whether or not the Covered Entity reasonably expected that a Business Associateagent would engage in the conduct in question Business Associate can be an agent Despite the fact that Covered Entity does not retain right or authority to control every aspect of Business Associate s activities Even if Covered Entity does not exercise right of control but evidence exists it holds the authority to exercise the right

HIPAA Privacy Standards

Notice of Privacy Practices Revised Notice of Privacy Practices must be available to patients and provided to new patients New notice must be posted in location where care provided Revisions include: Specific statement of need for authorization for use/disclosure of psychotherapy notes Specific statement of need for authorization to use/disclose PHI for marketing or for sale of PHI Specific statement regarding use/disclosure of PHI for fundraising Specific statement regarding use/disclosure of PHI to Plan Sponsor Specific statement that Health Plan may not use genetic information in connection with its underwriting activities (consistent with GINA) Specific statement regarding the requirement that a Covered Entity notify an individual in the event of breach with respect to his/her PHI

Other Changes Use of PHI for Marketing Sale of PHI Use of PHI for Fundraising Disclosure of PHI to Decedent s Family Members

HIPAA/HITECH Breach Notification Standards

Definition of Breach Breach means the acquisition, access, or use of PHI in a manner not permitted by the HIPAA Privacy Standard which compromises the security or privacy of the protected health information.

Exclusions to Breach Workforce Use Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule Workforce Disclosure - Unintentional disclosure of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule No Way to Retain Info Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info.

Substantial Harm Element Replaced Unauthorized access/disclosure is presumed to be a breach Covered Entity has option of performing breach risk assessment Risk assessment must include analysis of: Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification Unauthorized person who used/received the PHI Whether PHI was actually acquired or viewed Extent to which the risk to PHI has been mitigated If risk assessment determines low probability that the PHI was compromised, then no notification required.

Enforcement

Enforcement Tier 1 Tier 2 Tier 3 Tier 4 Violation not known or reasonably known Violation due to reasonable cause, but not willful neglect Violation due to willful neglect, if corrected Violation due to willful neglect, if not corrected Old HIPAA None $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year New HIPAA At least $100 per violation, $25,000 max for identical violations in calendar year At least $1,000 per violation, $100,000 max for identical violations in calendar year At least $10,000 per violation, $250,000 max for identical violations in calendar year At least $50,000 per violation, $1.5 million max for identical violations in calendar year

Factors to Determine Penalty Nature and extent of the violation Nature and extent of the harm History of compliance Financial condition of covered entity or business associate Other matters as justice may require

Results of OCR Audit Demonstration Program 60% of deficiencies identified were related to HIPAA Security 58 of 59 providers audited had at least one HIPAA Security deficiency 47 out of 59 providers; 20 out of 35 health plans; and 2 of 7 clearing houses had not conducted a complete and accurate risk assessment Top three deficiencies were related to contingency planning and back-ups; audit controls and monitoring; and access management Most common cause of deficiency: entity was unaware of the requirement Next round of audits are expected to affect business associates and be scheduled following the September 23, 2013 effective date

Enforcement Activities Settlements may originate with complaint or breach report Primary breaches include Stolen or lost laptops or media Unsecured firewall Employee s access of information Disclosure of information Business Associates were responsible for more breaches than Covered Entitites Most frequent deficiencies mentioned include: Failure to perform risk assessment Inadequate training Insufficient policies and procedures Incomplete security measures Failure to safeguard media Most involve corrective action plan with ongoing monitoring in addition to penalties

Strategy for Improvement

Development of a Robust Compliance Program Learn the rules Identification and control of PHI within the organization Performance of a Risk Assessment Develop a schedule to implement security measures to resolve identified risks Customize Privacy and Security Policies to guide workforce compliance Implement a training program Create an ongoing monitoring program Create a process for identification, investigation, and resolution of incidents Continually re-evaluate and improve

Questions? Stacy Harper Lathrop & Gage LLP sharper@lathropgage.com 913-451-5125

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback