HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Similar documents
HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Management Alert Final HIPAA Regulations Issued

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HHS, Office for Civil Rights. IAPP October 11, 2012

Fifth National HIPAA Summit West

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA Privacy Overview

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

AFTER THE OMNIBUS RULE

HIPAA Basic Training for Health & Welfare Plan Administrators

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Changes to HIPAA Under the Omnibus Final Rule

New HIPAA-HITECH Proposed Regulations Issued

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

BREACH NOTIFICATION POLICY

2016 Business Associate Workforce Member HIPAA Training Handbook

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Highlights of the Omnibus HIPAA/HITECH Final Rule

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Getting a Grip on HIPAA

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

The Impact of the Stimulus Act on HIPAA Privacy and Security

Determining Whether You Are a Business Associate

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

ALERT. November 20, 2009

Changes to HIPAA Privacy and Security Rules

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

HIPAA Privacy Compliance Checklist

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

ARRA 2009: Privacy and Security Provisions. Deven McGraw

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Business Associate Agreement

H E A L T H C A R E L A W U P D A T E

Highlights of the Final Omnibus HIPAA Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

HIPAA, HITECH & Meaningful Use

To: Our Clients and Friends January 25, 2013

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA The Health Insurance Portability and Accountability Act of 1996

What is HIPAA? (1 of 2)

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

HIPAA BUSINESS ASSOCIATE AGREEMENT

New Federal Legislation Affecting Health Plans

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

OMNIBUS RULE ARRIVES

ARTICLE 1. Terms { ;1}

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Interpreters Associates Inc. Division of Intérpretes Brasil

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Effective Date: March 23, 2016

Health Law Diagnosis

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

LEGAL ISSUES IN HEALTH IT SECURITY

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA: Impact on Corporate Compliance

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

HIPAA Compliance Under the Magnifying Glass

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

Transcription:

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1

Reasons for HIPAA Privacy Rules Perceived need for protection of individual health information Potential for abuse and concern that employees would misuse health information 2

What are the Purposes of the Privacy Rule? To give the consumer more control over health information Participant education on privacy protections. Ensuring patient access to medical records. Receiving patient authorization before information is released. Providing recourse if privacy protections are violated. 3

What are the Purposes of the Privacy Rule? To establish boundaries on the use and release of medical records Ensuring that health information is not used for improper purposes Providing the minimum amount of information necessary 4

What are the Purposes of the Privacy Rule? To establish accountability for the use and release of medical records, including: Civil penalties Federal criminal penalties 5

What Does This Mean To Me? You are in a position that could result in you having access to protected health information. If you improperly request or disclose an individual s protected health information, you could face significant monetary penalties and possible prison time. 6

Why Are You Here? Mohawk is required by law to train anyone who has access to protected health information. You need training to avoid potential personal liability. You need training to avoid subjecting others to potential personal liability. 7

Civil Penalties Increased Tiered Penalties: Tier 1: If a person is not aware of the violation (and would not have known with reasonable diligence), the penalty is at least $100/violation, not to exceed $25,000 for all violations of the same requirement in the same calendar year. These are violations in which the offender did not realize he or she violated HIPAA and would have handled the matter differently if he or she had. 8

Civil Penalties Tier 2: If a violation is due to reasonable cause (but not willful neglect), the penalty is at least $1,000/violation, not to exceed $100,000 for all violations of the same requirement in the same calendar year. Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. 9

Civil Penalties Tier 3: If violation is due to willful neglect and is corrected in 30 days, the penalty is at least $10,000/violation, not to exceed $250,000 for all violations of the same requirement in the same calendar year. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 10

Civil Penalties Tier 4: If a violation is due to willful neglect and is not corrected in 30 days, the penalty is at least $50,000/violation, not to exceed $1.5 million for all violations of the same requirement in the same calendar year. Effective Date: Willful neglect provisions are not applicable until February 2011. 11

Civil Penalties State AGs. State AGs are authorized to bring a civil action for HIPAA violations to enjoin violations and seek damages on behalf of residents. Damages are calculated by multiplying the number of violations by $100. The penalty is not to exceed $25,000 for all violations of an identical requirement during a calendar year. 12

Civil Penalties Court may award costs and reasonable attorneys fees to State. State action may NOT be brought during pendency of Federal action. Effective Date: Immediately. 13

Civil Penalties Individual Compensation. Mechanism for individuals to recover a portion of HHS civil penalty or monetary settlements. Effective Date: Regulations are to be issued by February 2012. Effective on or after date of regulations. 14

Criminal Penalties Up to $50,000 and 1 year in prison for obtaining or disclosing PHI Up to $100,000 and up to 5 years in prison for obtaining PHI under false pretenses 15

Criminal Penalties Up to $250,000 and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use for commercial advantage, personal gain, or malicious harm 16

Increased Enforcement Mechanisms Increased Audits. HHS will conduct periodic audits of covered entities and business associates, even if no complaint is filed. Willful Neglect: An audit is required if preliminary investigation of a complaint indicates willful neglect. HHS is required to impose a penalty for violations due to willful neglect. Effective Date: February 2011. Regulations to be issued by August 2010. 17

What Information Is HIPAA Designed to Protect? Protected Health Information ( PHI ) encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form. 18

What Information Is HIPAA Designed to Protect? Transmitted - not defined, generally includes sharing of information electronically, by telephone, fax, mail or even orally Covered Entity - a health plan, a health plan provider, or a health care clearinghouse Note: Employers are NOT covered entities, and employment files are not subject to the HIPAA privacy requirements. 19

How Does HIPAA Impact Employment Medical Files? HIPAA does not cover the employer s medical files containing ADA, FMLA, Workers Compensation, Sick Leave, Doctor s Excuses for Absences, etc. In applying normal procedures for those leave/accommodation requests, medical providers will require an authorization from the individual to release information to Mohawk (because providers are subject to HIPAA). 20

How Does HIPAA Impact Employment Medical Files? Even though employment medical files are not subject to HIPAA, the files should be kept confidential subject to general privacy policies of Mohawk. 21

Subject to HIPAA: Group Health Plan Group Dental Plan Mohawk Plans Health Care Flexible Spending Account Plan Others Plans or programs that do not provide coverage for medical expenses are not subject to HIPAA 22

How Will the Plan Receive PHI? Examples of PHI disclosures include: A participant requests assistance in getting a claim paid under a HIPAA covered plan. A participant appeals a claim denied by the third party administrator to a Mohawk committee. 23

What are the Authorization Requirements? PHI may be used by covered entities for purposes of treatment, payment, and health care operations ( TPO ) without authorization. PHI must be disclosed to the government in the case of a HIPAA investigation. Otherwise, participant authorization is required. 24

What Must a Plan Do to Ensure Privacy? Plan documents must be amended to include required provisions. PHI can only be disclosed to the plan sponsor if the plan sponsor certifies that it will only use the information in accordance with the HIPAA rules. The plan sponsor: cannot use or disclose PHI except as permitted by the plan or required by law; 25

What Must a Plan Do to Ensure Privacy? must ensure that agents and vendors who receive PHI agree to the same restrictions; cannot use or disclose PHI for employmentrelated actions or for other benefit plans; must report to the Plan any violation of the privacy requirements; must make PHI available to individuals as required by HIPAA; 26

What Must a Plan Do to Ensure Privacy? must allow individuals to amend their PHI; must provide individuals with an accounting of disclosures of PHI; must make its practices available to the government to determine compliance; 27

What Must a Plan Do to Ensure Privacy? must return or destroy PHI received from the plan that the plan sponsor maintains in any form; must not retain copies of PHI longer than needed for the purpose for which the disclosure was made; 28

What Must a Plan Do to Ensure Privacy? ensure that security procedures have been established that: identify employees or classes of employees who will have access to PHI; restrict access solely to those individuals for the functions performed for the plan; and provide a mechanism for resolving issues of noncompliance with participants. 29

What Must a Plan Do to Ensure Privacy? Privacy policies must be developed to ensure that only the minimum necessary amount of information to achieve the purpose of the disclosure is provided to a third person and that the other HIPAA requirements are satisfied. Minimum Necessary Standard Generally, uses, disclosures and requests by a covered entity are limited to the information that is the minimum necessary to accomplish the intended purpose. 30

What Must a Plan Do to Ensure Privacy? Prior to the American Recovery and Reinvestment Act, minimum necessary was an unidentified, flexible standard. Starting February 17, 2010 and until guidance is issued, the covered entity may only use, disclose, or request limited data set information, or if more information is needed, in compliance with the minimum necessary standard. By August 2010, HHS will issue guidance on what constitutes minimum necessary. 31

What Must a Plan Do to Ensure Privacy? A Notice of Privacy Practices must be distributed to inform Plan participants of their rights under HIPAA. Physical security measures must be put in place to protect PHI (secured file cabinets, software encryption, password protected databases). 32

What Must a Plan Do to Ensure Privacy? The Proposed Rule mandates the following changes to a covered entity s notice of privacy practices: If the covered entity intends to send subsidized treatment communications, its notice of privacy practices would be required to disclose that fact and to notify the individual of the right to opt out. *On July 14, 2010, the Department of Health and Human Services (HHS) published a notice of proposed rulemaking (the Proposed Rule ). Unless otherwise indicated, the compliance date for all provisions of the Proposed Rule will be after 180 days after the publication of the Final Rule. 33

What Must a Plan Do to Ensure Privacy? If the covered entity intends to send fundraising solicitations, the notice of privacy practices would have to notify the individual of the right to opt out (in contrast to the current Privacy Rule requirement to simply include notice of the opt-out right in the solicitation). 34

What Must a Plan Do to Ensure Privacy? The notice would be required to describe the need for an authorization for uses of psychotherapy notes, marketing, and the sale of PHI for which authorization is required. The notice would be required to inform the individual that the covered entity may not refuse a request to withhold information from a health plan where the individual pays out-of-pocket in full for the service. 35

What Must a Plan Do to Ensure Privacy? Designate a Privacy Officer to be in charge of monitoring compliance with HIPAA requirements. HIPAA covered plans must train individuals who may come into contact with PHI as to the HIPAA requirements and employer and plan procedures for maintaining the privacy of PHI. For example, all PHI information, questions or problems should be faxed, e-mailed or directed to the Privacy Officer at private fax numbers. 36

What Must a Plan Do to Ensure Privacy? Identify Business Associates HITECH* expanded the definition of business associate *Health Information Technology for Economic and Clinical Health Act ( HITECH ), which was contained in ARRA, modified The Privacy and Security Rules originally enacted in HIPAA. 37

What Must a Plan Do to Ensure Privacy? The Proposed Rule further expands the definition of Business Associate to include the following: Patient safety organizations ( PSOs ), which are organizations that conduct patient safety and quality improvement activities under the Patient Safety and Quality Improvement Act of 2005 (PSQIA). 38

What Must a Plan Do to Ensure Privacy? Organizations that provide data transmission of PHI to a covered entity, such as Health Information Organizations and E-prescribing Gateways, and those that require routine access to PHI. Vendors offering a PHR to one or more individuals on behalf of a covered entity. Subcontractors to a business associate that create, receive, maintain, or transmit PHI on behalf of a business associate. 39

What Must a Plan Do to Ensure Privacy? The Proposed Rule requires new provisions to be added to Business Associate Agreements ( BAA ) The so-called safeguards provision should be replaced with a provision requiring that business associates use appropriate safeguards and comply, where applicable, with [the Security Rule], with respect to electronically protected health information, to prevent use or disclosure of the information other than as provided for by its contract. Business associates must report to the covered entity any breach of unsecured PHI, as required by the HITECH security breach notification regulations. 40

What Must a Plan Do to Ensure Privacy? Business associates must enter into written agreements with subcontractors that create or receive PHI on behalf of the business associate imposing the same restrictions that apply to the business associate with respect to the PHI. Business associates must comply with the requirements of the Privacy Rule to the extent that the business associate is to carry out a covered entity s obligation under the Privacy Rule. For example, if a business associate is providing an individual with access to PHI, that access must be provided in accordance with Privacy Rule requirements. 41

What Must a Plan Do to Ensure Privacy? Policies and procedures for participant complaints must be developed and communicated, and records must be maintained. Retaliation for participant complaints is prohibited. 42

Can Protected Information Be Shared Among Plans? AUTHORIZATION IS REQUIRED! 43

Procedures for Handling Employee Inquiries Employees will be advised to contact the appropriate Privacy Officer or designated individuals for help with plan issues. Other Human Resources staff, supervisors, etc. will not have access to PHI and cannot provide assistance. Any inquiry that may involve PHI should be referred to the Privacy Officer. 44

Disclosure of Security Breaches Covered entities or business associates must notify each affected individual when an unauthorized disclosure of PHI occurs If there is no known contact for an individual, disclosure may be posted on Mohawk s website or through a media outlet. 45

Notification of Breach Requirements If security of Unsecured PHI is breached, the Plan must provide notice without unreasonable delay and within 60 days after discovery of breach: To the impacted individual: written notice must be sent to the last known address (with special rules if imminent misuse is possible or individual s address is unknown). To the media: If a breach involves more than 500 individuals in state or jurisdiction, notice must be sent through major media outlets. 46

To HHS: Notification of Breach Requirements If a breach involves more than 500 individuals, the Plan must notify HHS immediately, and HHS will identify the covered entity on its website. If a breach involves less than 500 individuals, the Plan must log the breach and provide the log to HHS on an annual basis. If a business associate discovers a breach, the business associate must notify the plan. 47

Notification of Breach Requirements When is a breach discovered? A breach is discovered as of the first day that it is known (or reasonably should have been known) to the covered entity or business associate. The covered entity or business associate has knowledge of the breach on the day that any employee, officer or other agent has such knowledge (except for the individual who committed the breach). 48

Notification of Breach Requirements Unsecured PHI is PHI which is not secured through the use of a technology or methodology identified by HHS as rendering the information unusable, unreadable or indecipherable to unauthorized persons On April 17, 2009, HHS issued safe-harbor guidance identifying two acceptable technologies and methodologies for securing PHI: Encryption (electronic) Destruction (electronic and paper) Notification requirements are only triggered by breach of unsecured PHI. 49

Notification of Breach Requirements On August 24, 2009, HHS issued an interim final rule regarding the HITECH breach notification rules; this rule took effect on September 23, 2009. An online form was created which covered entities must use to report breaches of PHI. Only covered entities can report breaches. Contacting affected individuals may be delegated to a business associate. 50

Notification of Breach Notice must contain: Requirements a brief description of the breach, including dates; a description of the types of unsecured PHI involved; the steps an impacted individual should take to protect against potential harm; 51

Notification of Breach Requirements a brief description of the steps the Plan has taken to investigate the incident, mitigate harm, and protect against further breaches; and contact information. 52

Prohibition on the Sale of PHI Covered entity or business associate cannot receive compensation, directly or indirectly, for any PHI unless per a valid authorization specifically addressing sale. Exceptions: for public health activities; for research (cost of data prep and transmittal); for treatment; for Health Care Operations (HCO) related to sale or transfer; 53

Prohibition on the Sale of PHI for payment of business associate for services under BAA; to provide an individual with his/her PHI; and for other instances permitted by the Secretary in further guidance. Effective Date: Regulations to be issued by August 2010. Effective six months thereafter. 54

Prohibition on the Sale of PHI The Proposed Rule adds the following provisions: The treatment exception would be expanded to include disclosures for payment, clarifying that disclosures of PHI to obtain payment are not sales of PHI. An authorization for the sale of PHI would be required to state that the covered entity will be receiving remuneration for the disclosure. The prohibition does not apply to a reasonable, costbased fee charged to the individual by a covered entity for an accounting of disclosures. 55

Prohibition on the Sale of PHI Covered entities are allowed to receive payment for a disclosure that is required by law. The sale of PHI is permitted as determined by the Secretary pursuant to regulations to be necessary and appropriate, so long as the fee charged is either reasonable and cost-based or expressly permitted by another law. 56

Restrictions on Marketing A communication by a covered entity or business associate that is about a product/service and encourages the recipient to purchase or use same is NOT considered an HCO UNLESS it: describes a health-related product/service (or payment for same) that is provided by or included in the plan of covered entity making communication; is for treatment; or is for case management or care coordination for the individual or to direct/recommend certain alternative treatments, therapies, health care providers, or settings of care to the individual. 57

Restrictions on Marketing However, if a communication meets one of the exceptions and the covered entity receives a payment, directly or indirectly, for making such communication, then it is NOT an HCO EXCEPT where: The communication describes only a drug/biologic currently prescribed for recipient and any payment received by covered entity for making communication is reasonable in amount ; AND The covered entity makes communication and covered entity obtains authorization from recipient; OR business associate makes communication on behalf of the covered entity and communication is consistent with business associate agreement. 58

Conclusion Compliance with the HIPAA privacy requirements requires significant cultural and procedural changes. Some employees will require additional training. Training is MANDATED for all individuals who may have access to PHI. 59

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback