HIPAA and Lawyers: Your stakes have just been raised

Similar documents
Determining Whether You Are a Business Associate

HIPAA The Health Insurance Portability and Accountability Act of 1996

ARE YOU HIP WITH HIPAA?

AFTER THE OMNIBUS RULE

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Compliance Guide

HIPAA Compliance Under the Magnifying Glass

HIPAA: Impact on Corporate Compliance

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA Background and History

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA PRIVACY AND SECURITY AWARENESS

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Getting a Grip on HIPAA

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Business Associate Agreement For Protected Healthcare Information

HIPAA & The Medical Practice

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Omnibus Rule: HIPAA 2.0 for Law Firms

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA COMPLIANCE. for Small & Mid-Size Practices

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Basic Training for Health & Welfare Plan Administrators

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

OMNIBUS RULE ARRIVES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA OMNIBUS FINAL RULE

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA Business Associate Agreement

The Privacy Rule. Health insurance Portability & Accountability Act

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Business Associate Agreement

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA STUDENT ASSOCIATE AGREEMENT

Business Associate Agreement

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

ARRA s Amendments to HIPAA Privacy & Security Rules

ARTICLE 1. Terms { ;1}

Effective Date: 4/3/17

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

March 29, 2018 Key Principles in HIPAA Compliance

HEALTHCARE BREACH TRIAGE

The Audits are coming!

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

HIPAA Privacy & Security. Transportation Providers 2017

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

University Data Policies

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

Interpreters Associates Inc. Division of Intérpretes Brasil

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

2016 Business Associate Workforce Member HIPAA Training Handbook

To: Our Clients and Friends January 25, 2013

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

RISK TRACK. Privacy and Data Protection

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

503 SURVIVING A HIPAA BREACH INVESTIGATION

Management Alert Final HIPAA Regulations Issued

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Palmetto Paralegal Association

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

March 1. HIPAA Privacy Policy

HIPAA BUSINESS ASSOCIATE AGREEMENT

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

Transcription:

HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com

AGENDA Statutory & Regulatory Framework Privacy/Security Obligations of Lawyers Who Are Business Associates (BA) Obligations of CA Attorneys, Irrespective of HIPAA Protecting the Attorney/Client Privilege Key Terms Are You A BA? Complying with the Security and Privacy Rules Dealing with Breaches Enforcement Conclusion

BACKGROUND Growing concerns of cyber-security risks and vulnerabilities Demonstrated public interest in privacy and security breaches Advanced persistent threats (APT s) to businesses and government (coordinated hacking) Newspaper headlines re: privacy/security violations HIPAA Final Omnibus Rule effective September 2013 applicability to some lawyers FTC Gramm-Leach-Bliley Act applicability to lawyers?

STATUTORY & REGULATORY FRAMEWORK

Federal Privacy and Security Laws & Regulations Health Insurance Portability and Accountability Act of 1996 (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) 45 C.F.R. Parts 160, 162, 164 (HIPAA Rules)

California Privacy and Security Laws CA Customer Records Act (Civil Code 1798, et seq., as amended by S.B. 1386) Confidentiality of Medical Information Act (Civil Code 56, et seq.) The Lanterman-Petris-Short Act (Welf & Inst Code 5000, et seq.) Patient Access to Health Records Act (Health & Safety Code 123100, et seq.)

Attorney-Specific Obligations Duty of Confidentiality CA Rules of Prof. Conduct 3-100 ABA Model Rule 1.6: Duty of confidentiality extends to information relating to the representation of a client (including electronic data) Duty of Competence CA Rules of Prof. Conduct 3-110(B)

SB 1386 (Civil Code 1798.29, 1798.82, 1798.84) Any business that owns electronic data with personal information about California residents is required to disclose any breach of security to the resident Personal information : first initial and last name in combination with social security #; driver's license number/id; account number, credit or debit card number in combination with required security code; medical information; or health insurance information.

PROTECTING THE ATTORNEY CLIENT PRIVILEGE

Attorney-Specific Obligations Duty of Confidentiality Cal. Rules of Prof. Conduct 3-100. ABA Model Rule 1.6 Cal. Bus. & Prof. Code 6068 Evidentiary Privilege Cal. Evid. Code 952 Duty of Competence Cal. Rules of Prof. Conduct 3-110(B)

Cal. Ethics Opinion 2010-179 Attorney s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client s representation does not subject confidential information to an undue risk of unauthorized disclosure.

Cal. Ethics Opinion 2010-179 Factors to consider when using technology: Attorney s ability to assess the level of security afforded by technology; Legal ramifications to third parties intercepting, accessing, or exceeding authorized use of information; Degree of sensitivity of information; Potential adverse impact on client; Urgency of situation; Client instructions and circumstances.

HIPAA Considerations Business Associate Agreements: Explicitly recognize attorney s obligations to protect client confidentiality Consider impact on privilege of: Requests for access by patient Requests for accounting of disclosures Other attempts to obtain PHI in your possession

KEY TERMS

Unofficial Guide to Key HIPAA Terms Protected Health Information ( PHI ): Data that identifies a specific person and describes his/her demographics, medical status/history, and payment for care. ephi: PHI maintained or transmitted in electronic form Covered Entity ( CE ): Individuals and organizations that provide or pay for health care. 45 C.F.R. 160.103

Unofficial Guide to Key HIPAA Terms Business Associate ( BA ): Individual/organization that assists CEs, and use PHI to do so. Subcontractor: Individual/organization that assists BAs, and use PHI to do so. Business Associate Agreement ( BAA ): Contract between a CE and a BA (or a BA and a Subcontractor) that defines the BA s (Subcontractor s) obligations to protect PHI. 45 C.F.R. 160.103, 164.504(e)

Unofficial Guide to Key HIPAA Terms Uses and Disclosures of PHI: Actions involving PHI in which a CE or BA might engage. Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system. Breach: The acquisition, access, use or disclosure of PHI that is not permitted by HIPAA and that compromises the security or privacy of the PHI.

ARE YOU A BUSINESS ARE YOU A BUSINESS ASSOCIATE? ASSOCIATE?

Are you a Business Associate? Business associate: A business associate means, with respect to a covered entity, a person who provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, where the provision of the service involves the disclosure of protected health information from such covered entity, or from another business associate of such covered entity or arrangement, to the person. 45 C.F.R. 160.103

Are you a Subcontractor Business Associate? Subcontractor Person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate. Business associate includes: A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate. 45 C.F.R. 160.103

If you are not a BA what are your obligations? Attorney-client obligations Ethical duty to inform client of breach of confidentiality Customer Records Act Duty to inform CA residents of breaches of personal information. Duty to inform your clients that information they provided to you may have been breached. No duty under Gramm-Leach-Bliley Act for attorneys yet.

COMPLIANCE WITH THE SECURITY RULE

Business Associate Obligations General requirements Adopt administrative, physical, and technical, safeguards to protect ephi; Organizational requirements; and Policies & procedures and documentation requirements. 45 C.F.R. 164.306, et seq.

Administrative Safeguards Security Management Risk analysis and management Sanction policy Activity review Designate a Security Officer Workforce Training Contingency Planning Evaluation

Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device & Media Controls

Technical Safeguards Access Controls Audit Controls Integrity Person/Entity Authentication Transmission Security

Security Rule Requirements Business Associate Agreements Policies & Procedures Documentation

Best Practices Passwords on Electronic Devices Lock Your Computer Screen Workstation Security Portable Device Security Data Management Anti-Virus Software Computer Security E-mail Security Breach Response

Cyber-Insurance Consider: Does your Professional Liability insurance cover breaches? Does your General Liability insurance cover breaches? Cyber-insurance is made to cover breaches.

COMPLIANCE WITH THE PRIVACY RULE

Business Associate Uses & Disclosures As permitted by the BAA and required by law. Specifically required Investigation by the Secretary of HHS Some individual patient requests Minimum necessary Disclosures to subcontractors Requires a BAA Material breach/violation by subcontractors 45 C.F.R. 164.500, et seq.

Business Associate Agreements Required Provisions Appropriate safeguards, including compliance with Security Rule Report non-permitted uses/disclosures to CE, including breaches of unsecured PHI Subcontractor BAAs Comply with Privacy Rule requests from patients, as applicable Availability of internal records Effect of termination 45 C.F.R. 164.504(e)

Business Associate Agreements Other Considerations Defining minimum necessary Indemnification for breaches Mitigating the effects of breaches Breach notification

DEALING WITH BREACHES

Breach The acquisition, access, use or disclosure of PHI in a manner that: Is not permitted by HIPAA; and Compromises the security or privacy of PHI. Notification requirements for CE. Notification requirements for BA. 45 C.F.R. 164.400, et seq.

Breach Notification Presumption: A security incident involving PHI is a breach Unless CE/BA can demonstrate that there is a low probability that PHI has been compromised Risk assessment factors include: Nature of PHI involved, including likelihood of reidentification Identity of the unauthorized user/recipient Actual acquisition/viewing Extent of mitigation of the risk

California Breach Notification Business that maintains computerized data, including personal information, that the business does not own shall notify the owner of the information of any breach of the security of the data if the information was obtained by an unauthorized person. Personal information includes medical information. Notification requirements. Cal. Civ. Code 1798.82

ENFORCEMENT

Enforcement The Office of Civil Rights ( OCR ) Investigates complaints Conducts compliance reviews Performs education and outreach California Office of Health Information Integrity ( CALOHII ) also may impose administrative fines, civil penalties, and other disciplinary actions

Civil Penalties - HIPAA Type of Violation Per Violation Penalty Did not know $100-50,000 Reasonable Cause $1,000-50,000 Willful Neglect, Corrected $10,000-50,000 Willful Neglect, Not Corrected $50,000 Maximum penalty: $1.5 million Criminal penalties range from $50,000 and/or imprisonment for one year, to $250,000 and/or imprisonment for up to 10 years. In addition, state attorneys general have authority to bring civil actions on behalf of residents of the state.

Civil Penalties - California Any Person or Entity (other than a licensed healthcare professional) Any Licensed Healthcare Professional Negligent Disclosure Up to $2,500 Up to $2,500 Knowingly and Willfully Obtains, Discloses or Uses Knowingly and Willfully Obtains, Discloses or uses for Financial Gain Up to $25,000 1 st Violation: Up to $2,500 2 nd Violation: Up to $10,000 3 rd Violation: Up to $25,000 Up to $250,000 1 st Violation: Up to $5,000 2 nd Violation: Up to $25,000 3 rd Violation: Up to $250,000 CMIA, Civil Code 56.36(c) Certain licensed facilities are also subject to administrative penalties of $25,000- $250,000 for unlawful or unauthorized access to, and use or disclosure of, medical information. Health & Safety Code 1280.15.

Civil Penalties HHS anticipates that it will not exact the maximum penalty in each case. Factors considered in assessing penalties: Nature and extent of the violation Nature and extent of the resulting harm Number of individuals affected Prior indications of noncompliance Financial condition of the covered entity Consideration of other matters as justice may require

CONCLUSION

Steps for Compliance Appoint Security Officer Perform and document risk analysis Create and/or revise confidentiality and security policies Ensure appropriate IT security safeguards are in place Evaluate potential threats Deploy appropriate hardware/software Develop, conduct and document attorney/staff training

Steps for Compliance Business Associate Agreements Create/update your form Inventory client relationships, execute or amend BAAs as needed Create/update subcontractor form BAA Execute or amend subcontractor BAAs

Questions? 310-444-5244 3 Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback