HIPAA Omnibus Final Rule and Research

Similar documents
Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Compliance Steps for the Final HIPAA Rule

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA OMNIBUS FINAL RULE

Management Alert Final HIPAA Regulations Issued

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

To: Our Clients and Friends January 25, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Compliance Steps for the Final HIPAA Rule

Fifth National HIPAA Summit West

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Health Law Diagnosis

HHS, Office for Civil Rights. IAPP October 11, 2012

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Changes to HIPAA Under the Omnibus Final Rule

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

HIPAA The Health Insurance Portability and Accountability Act of 1996

AFTER THE OMNIBUS RULE

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Omnibus HIPAA Rule: Impact on Covered Entities

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Getting a Grip on HIPAA

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Compliance Under the Magnifying Glass

MEMORANDUM. Kirk J. Nahra, or

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA: Impact on Corporate Compliance

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HEALTH LAW ALERT January 21, 2013

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Highlights of the Final Omnibus HIPAA Rule

New HIPAA Rules and Implications for the Industry January 29, 2013

Determining Whether You Are a Business Associate

HIPAA Omnibus Rule Compliance

HIPAA Privacy Rule. Positive Changes Affecting Hospitals Implementation of the Rule Melinda Hatton -- Oct. 31, 2002

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

What is HIPAA? (1 of 2)

HIPAA & The Medical Practice

O n Jan. 25, 2013, the U.S. Department of Health

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Tuesday, April 16, :00-2:15 pm Eastern. Presenters. Melissa Markey, Esquire Hall Render Killian Heath & Lyman PC Troy, MI

New HIPAA-HITECH Proposed Regulations Issued

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Business Associate Agreement

ARTICLE 1. Terms { ;1}

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

4/5/2013 I. BACKGROUND HIPAA OMNIBUS FINAL RULE. Background. Webinar Series Part II Research and Marketing April 9, 2013

The HIPAA Omnibus Rule

HIPAA Breach Notification Case Studies on What to Do and When to Report

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

BUSINESS ASSOCIATE AGREEMENT

ARRA s Amendments to HIPAA Privacy & Security Rules

VOL. 0, NO. 0 JANUARY 23, 2013

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

Omnibus Rule: HIPAA 2.0 for Law Firms

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

Business Associate Agreement

OMNIBUS RULE ARRIVES

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Changes to HIPAA Privacy and Security Rules

"HIPAA RULES AND COMPLIANCE"

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Business Associate Agreement For Protected Healthcare Information

Managing Information Privacy & Security in Healthcare. When an Authorization is Required

Be Careful What You Wish For: The Final Rule Is Out

Transcription:

Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy Specialist HHS Office for Civil Rights

Omnibus Rule Final Rule on HITECH Privacy, Security, & Enforcement Provisions (and certain non-hitech changes) (proposed rule published July 2010) Final Rule on new HITECH CMP Structure (interim final rule published Oct. 2009) Final Rule on HITECH Breach Notification (interim final rule published Aug. 2009) Final Rule on GINA Privacy Provisions (proposed rule published Oct. 2009) 2

Omnibus Components HITECH Privacy & Security Business associates Marketing & Fundraising Sale of PHI Right to request restrictions Electronic access HITECH Breach Notification HITECH Enforcement GINA Privacy Other (non-statutory) Modifications Research authorizations Notice of privacy practices (NPP) Decedents Student immunizations 3

Today s Focus Compound authorizations for research Authorizations for future research Period of protection for decedents Sale of protected health information (PHI) Breach notification Business associates (BA) 4

Important Dates Published in Federal Register January 25, 2013 Effective Date March 26, 2013 Compliance Date September 23, 2013 Transition Period to Conform BA Contracts Up to September 22, 2014, for Qualifying Contracts 5

Compound Authorizations Old Rule Not permitted for use/disclosure of PHI for conditioned and unconditioned research activities (e.g., separate authorization forms required for use/disclosure of PHI in a clinical trial and storage of PHI in a biorepository) 6

Compound Authorizations New Rule Single authorization form permitted for use/disclosure of PHI for conditioned and unconditioned research activities, with clear opt in for voluntary (unconditioned) component Flexibility permitted on ways to differentiate the components Better aligns with Common Rule informed consent requirements 7

Future Use Authorizations Old Rule Not permitted authorizations for research must include descriptions that are study specific 8

Future Use Authorizations New Rule Permitted if authorization has adequate description such that it would be reasonable for the individual to expect his/her PHI could be used for the research Better aligns with Common Rule informed consent requirements 9

Decedent Information Old Rule Health information about decedents generally protected in same manner/extent than that of living individuals New Rule Decedent s information is no longer PHI after 50-year period 10

Sale of PHI Old Rule Covered entities prohibited from selling patient information; however, no general prohibition on receiving remuneration for disclosure of PHI that is otherwise permissible 11

Sale of PHI New Rule Even where disclosure is permitted, CE is prohibited from disclosing PHI (without individual authorization) in exchange for remuneration If authorization obtained, authorization must state that disclosure will result in remuneration Limited research exception remuneration must be limited to cost to prepare and transmit PHI 12

Definition of Breach Old Rule Impermissible use or disclosure of (unsecured) PHI which compromises the security or privacy of the information Compromises means poses a significant risk of financial, reputational, or other harm to the individual To determine if must notify, preamble stated CE/BA must perform risk assessment, based on at least: What type or amount of PHI was used or disclosed Who received/accessed the information Potential that PHI was actually accessed or acquired What steps were taken to mitigate Exceptions for inadvertent, harmless mistakes Narrow exception for limited data sets without dates of birth & zip codes 13

Definition of Breach New Rule Harm standard removed New standard impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on risk assessment of at least: Nature & extent of PHI involved Who received/accessed the information Potential that PHI was actually acquired or viewed Extent to which risk to the data has been mitigated 14

Definition of Breach New Rule Exceptions for inadvertent, harmless mistakes remain Exception for limited data sets without dates of birth & zip codes removed 15

Business Associates Old Rule Covered entities may disclose PHI to BAs provided there is a contract in place to protect the information No direct liability on BAs for misuse of information or lack of safeguards Researchers not BAs by virtue of research activities (although they may become BAs in some other capacity) 16

Business Associates New Rule BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule; directly liable for violations BAs must comply with the use or disclosure limitations expressed in BA contract and those in the Privacy Rule; directly liable for violations Subcontractors of BA are now defined as BAs BA liability flows to all subcontractors Researchers still not considered BAs by virtue of research activities Preamble also clarifies that IRBs are not BAs by virtue of their research review, approval, and oversight functions 17

Guidance/Compliance Tools De-identification Guidance http://www.hhs.gov/ocr/privacy/hipaa/understanding/c overedentities/de-identification/guidance.html Sample Business Associate Contract Language http://www.hhs.gov/ocr/privacy/hipaa/understanding/c overedentities/contractprov.html Risk Analysis Guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/se curityrule/rafinalguidance.html Security for Mobile Devices (video/web) http://www.healthit.gov/mobiledevices 18

Guidance/Compliance Tools What s in the Works Fact Sheets/Q&A on New Provisions Includes research-specific materials Breach Risk Assessment Tool Minimum Necessary Guidance Expanded Consumer Materials/Videos 19

For More Information www.hhs.gov/ocr/privacy/ 20

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback