Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Similar documents
Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Highlights of the Omnibus HIPAA/HITECH Final Rule

AFTER THE OMNIBUS RULE

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Omnibus Final Rule and Research

Management Alert Final HIPAA Regulations Issued

Compliance Steps for the Final HIPAA Rule

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Omnibus HIPAA Rule: Impact on Covered Entities

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

To: Our Clients and Friends January 25, 2013

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Getting a Grip on HIPAA

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Compliance Steps for the Final HIPAA Rule

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HHS, Office for Civil Rights. IAPP October 11, 2012

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA OMNIBUS FINAL RULE

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Determining Whether You Are a Business Associate

ARRA s Amendments to HIPAA Privacy & Security Rules

HEALTH LAW ALERT January 21, 2013

OMNIBUS RULE ARRIVES

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Fifth National HIPAA Summit West

Omnibus Rule: HIPAA 2.0 for Law Firms

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Compliance Under the Magnifying Glass

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Health Law Diagnosis

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

The HIPAA Omnibus Rule

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA: Impact on Corporate Compliance

BREACH NOTIFICATION POLICY

GUIDANCE ON HIPAA & CLOUD COMPUTING

HIPAA Compliance Guide

HIPAA & The Medical Practice

HIPAA and Lawyers: Your stakes have just been raised

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Highlights of the Final Omnibus HIPAA Rule

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Changes to HIPAA Under the Omnibus Final Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Business Associate Agreement For Protected Healthcare Information

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Interpreters Associates Inc. Division of Intérpretes Brasil

Changes to HIPAA Privacy and Security Rules

ARTICLE 1. Terms { ;1}

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

HIPAA The Health Insurance Portability and Accountability Act of 1996

LEGAL ISSUES IN HEALTH IT SECURITY

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Business Associate Agreement

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

H E A L T H C A R E L A W U P D A T E

"HIPAA RULES AND COMPLIANCE"

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

VOL. 0, NO. 0 JANUARY 23, 2013

The Audits are coming!

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Final Omnibus Rule Playbook

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

New HIPAA Rules and Implications for the Industry January 29, 2013

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

HIPAA PRIVACY COMPLIANCE MANUAL DISCLAIMER

HIPAA, HITECH & Meaningful Use

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

HIPAA Business Associate Agreement

Transcription:

Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH, GINA) published January 25, 2013, effective March 26, 2013; entities must be in compliance by 9/23/13.! History: Health Information Technology for Economic and Clinical Health Act (HITECH), enacted February 2009! Ø Interim Final Rule (Data Breach) August 24, 2009! Ø Interim Final Rule (Enforcement) October 30, 2009! Ø Notice of Proposed Rulemaking (HITECH Rule) July 14, 2010 including Enforcement! Genetic Information Nondiscrimination Act of 2008 ( GINA )! History: Notice of Proposed Ruling (GINA Rule) October 7, 2009!

Scope of the Omnibus Rule! Research uses of data compound, more general authorizations! Prohibition of sale of PHI without authorization & research exemption! Revised breach notification standard! Patient access to information contained in an electronic health record! Regulation of business associates ( BAs ) and subcontractors! 3

What s not in the Omnibus Rule! Right of individuals to get an accounting of access to or disclosures of their health information (aka Accounting of Disclosures ) still in process! Methodology for giving individuals harmed by HIPAA violations a percentage of any civil monetary penalties or settlements collected (HITECH Section 13409(c)(3)) no rule proposed yet! No release yet - report on privacy protections for PHRs not covered by HIPAA and guidance on implementation of minimum necessary standard! HITECH also mandated study of definition of psychotherapy notes no specific deadline for the study!

Implementation of Omnibus Rule! Majority of the HITECH statutory provisions took effect on February 18, 2010, but no enforcement by federal regulators without rules! Omnibus Rule is effective on March 26, 2013 (60 days from publication) ( Effective Date )! Enforcement rule changes are effective March 26, 2013! Covered entities and business associates have 180 days from Effective Date (September 23, 2013) to come into compliance ( Compliance Date ), includes GINA compliance! Business Associate Agreements must all be amended by September 22, 2014.!

Research! Researchers have sought changes to both HIPAA and the Common Rule to ease the pathway to uses of data for research purposes! Common Rule Advanced Notice of Proposed Rulemaking (ANPRM) released in July 2011; unclear if/when proposed rule will be released! Omnibus Rule includes a few provisions:! Allowance of compound authorizations - can combine conditional authorizations (patient can t say no and still be in the study) with non-conditional (patient can say no e.g., consent for further uses of study data/samples))! Authorizations no longer have to be study-specific; can have an authorization for future research as long as the description of the future research uses is sufficiently clear that it would be reasonable for an individual to expect that his/her PHI could be used or disclosed for such future research!

Sale of PHI! HITECH: Patient authorization generally required for sales of PHI, with notice that disclosure of PHI is in exchange for payment (which includes nonfinancial remuneration)! But what constitutes a sale of PHI transactions involving PHI where money changes hands, or outright sales?! Rule takes latter position.! Does not apply to de-identified data but does apply to a limited data set.!

Sale of PHI! Exceptions! Public health! Research purposes remuneration must be reasonably related to the cost of preparing and transmitting information (can include indirect costs but cannot make a profit)! Treatment and payment disclosure of PHI to receive payment is not a sale of PHI! Corporate transactions! Disclosures to business associates! Disclosures to the individual! Disclosures required by law! Other disclosures permitted by the rules, provided remuneration is related to cost of making the disclosure!

Research Exemption to Sale of Data Prohibition! Sales do not include payments a covered entity may receive in the form of grants, contracts or other arrangements to conduct a research study because any provision of PHI to the payer is a byproduct of the service being provided.! But if the covered entity is paid (directly or indirectly) to supply data to a researcher, that is considered a sale and therefore the amount remunerated must meet parameters of the exemption.!

Remuneration Rules! Remuneration must be reasonable and cost-based includes direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the [PHI]; labor and supplies to ensure the [PHI] is disclosed in a permissible manner; as well as related capital and overhead costs.! Fees charged to incur a profit are not allowed.! HHS states we intend to work with the research community to provide guidance and help the research community reach a common understanding of appropriate cost-based limitations on remunerations.!

Breach Notification! HITECH established right of individual to be notified of breaches of PHI! Breach = the unauthorized acquisition, access, use or disclosure of [PHI] which compromises the security or privacy of such information! Exceptions include inadvertent, good faith access or disclosures within a CE/BA if the data is not further subject to unauthorized use!

IFR Breach Notification Standard! Interim Final Rule (IFR) (2009) CEs/BAs must notify of breaches of unsecured PHI that cause a significant risk of harm to the data subjects! Harm includes financial & other harm; standard was controversial! Data correctly encrypted per NIST standards is not unsecured PHI!

Omnibus Rule Breach Notification Standard! Definition of breach is changed! An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been compromised! Determining whether or not there is a low probability data has been compromised requires analysis of what happened (or may have happened) to the data!

Breach Notification Risk Assessment! CE/BA should perform risk assessment post-breach discovery and must consider at least the following:! Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification! Who was the recipient of the PHI! Was the PHI actually acquired or viewed! The extent to which the risk to misuse of the PHI has been mitigated!

Breach Notification Burden of Proof! If no risk assessment performed, the default is notification! Burden of demonstrating low probability that PHI is compromised is on the CE/BA! Decision not to notify must be documented in case of review!

Breach Notification Obligations to Notify! CEs must notify individuals (although can delegate this to BAs)! BAs must notify CEs! Subcontractors must be obligated to notify their contracting partner so the information can go back up the chain!

Breach Notification Examples of Risk Analysis Criteria! Likelihood or identification or re-identification:! a list of patient names not low probability! patient discharge data, patient not specified can patients be re-identified? could be low probability (depends on circumstances)! Who is the unauthorized recipient:! a HIPAA covered entity low probability, as long as you have evidence the risk has been mitigated! an employer may be able to use personnel records to reidentify not low probability!

Breach Notification Examples of Risk Analysis Criteria (2)! PHI actually acquired or viewed:! untampered with lap top low probability! information mailed to wrong person not low probability! Has improper use been mitigated:! satisfactory assurances of destruction from a known person low probability!

Breach Notification What Did Not Change! Definition of Unsecured Protected Health Information! When a breach is treated as discovered! Timeline for notifications (asap, but no later than 60 days)! Content of notification! Methods of notification! Notification to the media and the Secretary (minor modification counting from year of discovery)! Notification by Business Associate! Delay requested by law enforcement! Documentation and burden of proof! Pre-emption standard regarding state laws!

Patient Access to Electronic Health Information! If PHI held electronically, individual entitled to an electronic copy if in a designated record set (not just the information in an EHR )! Must be in the format requested if readily producible; if not, in a readable electronic form and format agreed upon by the entity and the individual! Not required to buy new software to do this but must have capability to provide some electronic copy! If individual declines to accept electronic formats entity makes available, can default to hard copy! Not required to accept patient s device but can t require individuals to purchase a device from you if they don t want to!

Patient Access Reasonable Safeguards! Must have reasonable safeguards in place to protect transmission of ephi but! If an individual wants information by unencrypted email, entity can send if they advise the individual that such transmission is risky! Must have a secure mechanism can t force individuals to accept unsecure! Omnibus Rule allows up to 60 days (30 days less than previous rule allowed); preamble urges entities to make information available sooner when possible!

Patient Access Third Parties, Charges! Individuals can have the copy directed to another person/entity but the choice must be in writing and clearly identify the individual/entity! Information must be protected and entity must implement reasonable policies and procedures to send it to the right place (e.g., type e-mail correctly)! In writing can be electronic! Fees charged are restricted to labor costs cannot include costs of retrieval, or portion of capital costs! Charge can include supplies provided to individual upon request!

Business Associates/Subcontractors! Omnibus Rule conforms HIPAA regulations to HITECH Act changes! Before HITECH, BAs regulated through business associate contracts or agreements ("BAAs")! After HITECH, BAs and subcontractors are regulated directly under HIPAA! o Must comply with Security Rule (rule is flexible to accommodate small BAs)! o Must comply with some of Privacy Rule and provisions of BAA!

BAs Expanded Regulation! Expanded definition of "business associate! Business associate means one who, on behalf of a covered entity, creates, receives, maintains or transmits PHI! "Business associate" now also means "subcontractor of business associate who creates, receives, maintains or transmits PHI on behalf of a business associate! Status as BA based upon role and responsibilities, not whether contract exists! Researchers are not BAs unless they are working on a covered entity s behalf!

BAs Expanded Regulation! Implications for subcontractor relationships! Contract between the covered entity's BA and that BA's subcontractor must satisfy the BA agreement requirements! Subcontractor of subcontractor is also a BA, and so on! As a result, HIPAA/HITECH obligations that apply to BAs also directly apply to subcontractors!

BAs Uses of PHI! Uses of PHI! BAs may use or disclose PHI only as permitted by BAA or required by law! BAs may not use or disclose PHI in manner that would violate Privacy Rule! Subcontractors subject to limits in initial CE-BA agreement must pass along in subcontracts! BAs not making a permitted use or disclosure if not following minimum necessary rules! BA does not comply if it knows of subcontractor's material noncompliance and does not take reasonable steps to cure the breach or, if such steps fail, to terminate the relationship!

BAs - Consequences! Secretary authorized to receive and investigate complaints against BAs (including subcontractors), and to take action regarding complaints and noncompliance! BAs (incl. subcontractors) subject to civil money penalties for HIPAA & HITECH violations! CEs/BAs/subs may be directly liable for actions of agents! BA/subs remain liable under contract to CE/BA! Revised BAAs must be in place by 9/22/14.!

Questions?! Deven McGraw 202-637-9800 x133 (new extension) deven@cdt.org www.cdt.org/healthprivacy @healthprivacy

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback